cve-reachability-analyzer
Analyze CVE reachability in software repositories by examining how vulnerable dependencies are imported and used. Determines whether vulnerable components, classes, or functions are reachable from project code through call chain analysis, reflection detection, dynamic loading patterns, and configuration-gated behavior. Classifies each CVE as likely reachable, possibly reachable, or likely unreachable with supporting evidence. Use when analyzing security vulnerabilities in dependencies, performing post-disclosure CVE triage, assessing vulnerability impact, or when users ask to analyze CVE reachability, check if vulnerabilities are exploitable, or evaluate dependency security risks.
Install with Tessl CLI
npx tessl i github:ArabelaTso/Skills-4-SE --skill cve-reachability-analyzer88
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates a specialized security analysis capability. It provides specific technical actions (call chain analysis, reflection detection), concrete outputs (three-tier classification with evidence), and comprehensive trigger guidance covering multiple user scenarios. The description uses appropriate third-person voice throughout and balances technical precision with natural language triggers.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'examining how vulnerable dependencies are imported and used', 'call chain analysis', 'reflection detection', 'dynamic loading patterns', 'configuration-gated behavior', and classifies CVEs into three categories with 'supporting evidence'. | 3 / 3 |
Completeness | Clearly answers both what (analyze CVE reachability through call chain analysis, reflection detection, etc., classifying as reachable/unreachable) AND when with explicit 'Use when...' clause covering multiple trigger scenarios including 'analyzing security vulnerabilities', 'CVE triage', and 'check if vulnerabilities are exploitable'. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'CVE', 'security vulnerabilities', 'dependencies', 'vulnerability impact', 'exploitable', 'dependency security risks', 'CVE triage', 'CVE reachability'. These are terms security professionals naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on CVE reachability analysis in dependencies. The combination of 'CVE', 'reachability', 'call chain analysis', and vulnerability classification creates a clear, unique domain unlikely to conflict with general security or code analysis skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured skill with excellent workflow clarity and progressive disclosure. The main weaknesses are moderate verbosity (explaining concepts Claude knows) and lack of concrete, executable code examples - the skill describes what to do rather than showing specific code patterns for common languages. The output format template is helpful but the analysis steps would benefit from inline code snippets.
Suggestions
Add concrete code examples for at least 2-3 common languages (e.g., Python import tracing, Java reflection detection) instead of deferring all specifics to reference files
Remove explanatory text that Claude already knows (e.g., 'Reachability ≠ exploitability', definitions of CVE fields) to reduce token usage
Include a minimal executable example in the 'Example Usage' section showing actual code/commands rather than describing the process abstractly
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary explanation (e.g., explaining what CVE information contains, basic concepts like 'Reachability ≠ exploitability'). The workflow steps could be more condensed, and some sections repeat information that Claude would already understand. | 2 / 3 |
Actionability | The skill provides structured guidance with clear steps but lacks concrete, executable code examples. The 'Example Usage' section describes a process abstractly rather than showing actual code. References to language-specific patterns defer to external files without inline examples. | 2 / 3 |
Workflow Clarity | The 9-step workflow is clearly sequenced with explicit decision points (early exits in Step 2), validation checkpoints, and clear classification criteria in Step 8. The progression from dependency verification through import analysis to call chain tracing is logical and includes feedback considerations. | 3 / 3 |
Progressive Disclosure | Excellent structure with a clear overview, well-organized workflow steps, and appropriate references to external files (reachability_patterns.md, language_guide.md, cve_analysis.md) for detailed information. References are one level deep and clearly signaled with descriptive labels. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.