sca-audit

Scan project dependencies for known vulnerabilities (CVEs). Use when reviewing dependency files (package.json, requirements.txt, go.mod, pom.xml, Gemfile, Cargo.toml, etc.), triaging Dependabot/Renovate alerts, or performing pre-deployment security checks.

Quality

84%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Discovery

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description with excellent trigger term coverage and completeness. It clearly defines both what the skill does and when to use it, with specific dependency file types and tool names that serve as effective triggers. The only minor weakness is that the 'what' portion could enumerate more specific actions beyond just 'scan for CVEs'.

Suggestions

Consider expanding the capability list with additional concrete actions like 'suggest version upgrades, assess severity levels, generate remediation plans' to improve specificity.

Dimension	Reasoning	Score
Specificity	The description names the domain (dependency vulnerability scanning) and one core action (scan for CVEs), but doesn't list multiple concrete actions like 'identify outdated packages, suggest remediation versions, generate vulnerability reports'.	2 / 3
Completeness	Clearly answers both 'what' (scan project dependencies for known vulnerabilities/CVEs) and 'when' (explicit 'Use when' clause covering reviewing dependency files, triaging alerts, or performing pre-deployment security checks).	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms: 'vulnerabilities', 'CVEs', specific dependency file names (package.json, requirements.txt, go.mod, pom.xml, Gemfile, Cargo.toml), 'Dependabot', 'Renovate', 'security checks', 'pre-deployment'. These are terms users would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche: dependency vulnerability scanning. The specific file types, tool names (Dependabot/Renovate), and CVE focus make it very unlikely to conflict with other skills like general code review or deployment skills.	3 / 3
	Total	11 / 12 Passed

Implementation

79%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-crafted, concise skill that provides actionable scanner commands across multiple ecosystems and a clear workflow sequence. Its main weaknesses are the lack of validation/feedback loops in the workflow (e.g., verifying scan completeness or post-remediation verification) and unverifiable references to bundle files that aren't provided. The analysis and dependency health steps could benefit from a brief example of expected output format.

Suggestions

Add a validation/verification step after remediation (e.g., 're-run the scanner to confirm vulnerabilities are resolved') to close the feedback loop.

Include a brief inline example of the output format or a sample finding entry, since the referenced `templates/finding.md` is not available in the bundle.

Dimension	Reasoning	Score
Conciseness	Every section is lean and purposeful. No unnecessary explanations of what CVEs are, what dependency files do, or how scanners work. The tool preference list is dense but each entry earns its place by covering a different ecosystem.	3 / 3
Actionability	Provides specific, executable commands for multiple ecosystems (osv-scanner, npm audit, pip-audit, govulncheck, trivy) with correct flags and output format options. The fallback guidance (stop and ask user to install) is concrete and practical, and the OSV.dev link for individual triage is a useful specific pointer.	3 / 3
Workflow Clarity	Steps are clearly sequenced (identify → scan → analyze → health check), and there's a good guard rail for missing tools. However, there are no explicit validation checkpoints or feedback loops — e.g., no step to verify scanner output is valid/complete, no retry logic if a scan partially fails, and no verification step after applying remediation commands.	2 / 3
Progressive Disclosure	References `plays/tier1-code-analysis/sca-audit.md` and `templates/finding.md` for deeper content, which is good progressive disclosure design. However, no bundle files are provided, so these references are unverifiable and potentially broken. The main content is well-structured but the output section could benefit from an inline example or link to a sample report.	2 / 3
	Total	10 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: OWASP/secure-agent-playbook
Commit: 3f4fcb6

Reviewed: 4 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.