cve-impact
**CRITICAL**: Use for ALL CVE discovery and listing. DO NOT call get_cves directly. Use when: "show critical CVEs", "CVEs on hostname X", "remediatable vulnerabilities", "impact of CVE-X", risk assessment. NOT for remediation (use `/remediation`). System-level: FIRST reply = pagination prompt (Step -1). Parsing: references/01-cve-response-parser.py.
69
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./rh-sre/skills/cve-impact/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a functional and well-targeted skill description that excels at routing clarity—it includes explicit trigger terms, a clear 'Use when' clause, and a helpful exclusion boundary. Its main weakness is that the specificity of concrete actions is somewhat thin (it focuses more on when to use it than what it actually does), and it includes implementation details (pagination prompt, parser reference) that are more internal than descriptive.
Suggestions
Add more concrete action descriptions beyond 'discovery and listing'—e.g., 'Searches for CVEs by hostname, severity, remediability status; provides risk assessments and impact details for specific CVE IDs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (CVE discovery and listing) and mentions some actions like discovery, listing, risk assessment, and parsing, but doesn't list multiple concrete actions in detail. It's more about routing than describing specific capabilities. | 2 / 3 |
Completeness | Clearly answers both 'what' (CVE discovery and listing) and 'when' (explicit 'Use when' clause with trigger phrases, plus a 'NOT for' exclusion clause that further clarifies scope). The explicit trigger guidance is present and detailed. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'show critical CVEs', 'CVEs on hostname X', 'remediatable vulnerabilities', 'impact of CVE-X', 'risk assessment'. These cover multiple realistic user phrasings. | 3 / 3 |
Distinctiveness Conflict Risk | Very clearly scoped to CVE discovery/listing with an explicit exclusion ('NOT for remediation, use /remediation'), which sharply distinguishes it from related skills. The warning about not calling get_cves directly also helps define its unique role. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill has a solid structural foundation with clear HITL gates, validation checkpoints, and reference file organization, but is severely undermined by extreme redundancy—tool descriptions appear 3-4 times, the pagination prompt appears 3 times, and multiple sections restate the same information. Steps 6 and 7 are incomplete stubs that break workflow continuity. The skill would benefit enormously from deduplication and consolidating repeated content into single authoritative locations.
Suggestions
Eliminate redundancy: Define MCP tools once (in Dependencies or a reference file) and reference that single location from workflow steps instead of repeating parameters in Prerequisites, Steps, Dependencies, and Tools Reference.
Consolidate the HITL pagination prompt to a single location (e.g., a reference file or Step -1 only) and reference it from Step 1 flows instead of duplicating the full prompt text three times.
Flesh out Steps 6 and 7 with concrete guidance, specific output formats, or explicit references to files that contain the details—current one-liners are not actionable.
Remove the Best Practices section (generic advice Claude already knows) and the redundant Tools Reference section to reduce token usage by ~30%.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with massive redundancy. The HITL pagination prompt appears three times (Step -1, Step 1 flow 02, Step 1 flow 03). MCP tool parameters and descriptions are listed in Prerequisites, individual steps, Dependencies, AND Tools Reference sections—quadruple repetition. Best practices are generic platitudes Claude already knows. The skill could be cut by 50%+ without losing information. | 1 / 3 |
Actionability | Provides specific MCP tool names, parameter formats, and expected output templates, which is good. However, Steps 6 and 7 are vague one-liners with no concrete guidance. The document consultation pattern is concrete but repetitive. No executable code examples for the actual MCP tool calls—only output format templates are shown. | 2 / 3 |
Workflow Clarity | The workflow has clear step numbering and the HITL gate is well-defined with explicit anti-patterns. However, Steps 6 and 7 are skeletal stubs that break the workflow's completeness. The relationship between Step -1 and Step 1's HITL prompts is confusing—it's unclear when each applies, creating potential for double-prompting. Validation is present (Step 0, MCP validator) but the overall flow has gaps. | 2 / 3 |
Progressive Disclosure | Good use of reference files for flows, parsing, output templates, examples, and error handling with a clear reference table. However, without bundle files to verify, references can't be validated. The main file itself is bloated with content that should be in references (e.g., the full HITL prompts repeated multiple times, tool parameter details repeated across sections). The Dependencies section largely duplicates Prerequisites and Tools Reference. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- RHEcosystemAppEng/agentic-collections
- Commit
b2c1b78
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.