cve-impact
**CRITICAL**: Use for ALL CVE discovery and listing. DO NOT call get_cves directly. Use when: "show critical CVEs", "CVEs on hostname X", "remediatable vulnerabilities", "impact of CVE-X", risk assessment. NOT for remediation (use `/remediation`). System-level: FIRST reply = pagination prompt (Step -1). Parsing: references/01-cve-response-parser.py.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./rh-sre/skills/cve-impact/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is functionally effective for skill selection, with strong trigger terms, clear 'Use when' and 'NOT for' clauses that establish boundaries well. Its main weakness is that the specificity of concrete actions could be improved—it focuses more on routing logic and implementation details (pagination prompt, parser reference) than on describing what the skill actually does for the user. The implementation details (Step -1, parser path) are internal concerns that don't help with skill selection.
Suggestions
Replace implementation details ('FIRST reply = pagination prompt (Step -1). Parsing: references/01-cve-response-parser.py') with concrete user-facing capabilities like 'Lists CVEs by severity, filters by hostname, assesses risk impact, identifies remediatable vulnerabilities'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (CVE discovery and listing) and mentions some actions like discovery, listing, risk assessment, and parsing, but doesn't list multiple concrete actions in detail. It's more about routing than describing capabilities. | 2 / 3 |
Completeness | Clearly answers both 'what' (CVE discovery and listing) and 'when' (explicit 'Use when' clause with trigger phrases, plus a 'NOT for' exclusion clause that further clarifies boundaries). The explicit trigger guidance is present and well-structured. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'show critical CVEs', 'CVEs on hostname X', 'remediatable vulnerabilities', 'impact of CVE-X', 'risk assessment'. These cover multiple realistic user phrasings. | 3 / 3 |
Distinctiveness Conflict Risk | Very clearly distinguished from related skills by explicitly stating 'NOT for remediation (use /remediation)' and specifying it's for CVE discovery/listing only. The exclusion clause and specific trigger terms make conflicts unlikely. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill has a well-defined workflow structure with important safety gates (HITL pagination prompts, MCP validation) and good reference file organization. However, it suffers severely from redundancy—MCP tools are listed three times, the HITL prompt appears three times, and multiple sections cover the same routing logic. Steps 6 and 7 are incomplete stubs that undermine the otherwise detailed workflow.
Suggestions
Consolidate MCP tool listings into a single authoritative section (either Prerequisites, Dependencies, or Tools Reference—not all three) and reference it from the other locations.
Remove the duplicate HITL prompt from Step 1's 'CRITICAL: System-Level' section since Step -1 already covers this identically, or clearly explain the relationship between them.
Flesh out Steps 6 (Impact Analysis) and 7 (Remediation Readiness Check) with concrete guidance, output formats, or explicit references to files containing the details.
Trim the 'When to Use This Skill' section to a compact decision table rather than two verbose bullet lists explaining routing logic.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with massive redundancy. The HITL pagination prompt appears three times (Step -1, Step 1 flow 02, Step 1 flow 03). Prerequisites, MCP tools, and dependencies are listed three separate times with overlapping information. The 'When to Use This Skill' section explains routing logic that could be a 3-line table. Document consultation instructions repeat the same boilerplate pattern across every step. | 1 / 3 |
Actionability | Provides concrete MCP tool names, parameters, and expected output formats, which is good. However, much of the actual executable guidance is deferred to reference files (flow files, parser guide, output templates, examples, error handling). Steps 6 and 7 are essentially empty stubs with no concrete instructions. The parser invocation commands are concrete and copy-paste ready, but core workflow steps rely on external files. | 2 / 3 |
Workflow Clarity | The workflow has clear step numbering and the HITL gate is well-defined with explicit validation checkpoints (MCP validation, user confirmation). However, Steps 6 and 7 are skeletal with no real guidance. The relationship between Step -1 and the duplicate HITL in Step 1 is confusing—it's unclear if both execute or if Step -1 replaces the Step 1 HITL. The flow selection table in Step 1 is helpful but the surrounding duplication creates ambiguity about the actual execution path. | 2 / 3 |
Progressive Disclosure | Good use of reference files for flows, parsing, output templates, examples, and error handling with a clear reference table. However, the SKILL.md itself is bloated with content that should be in reference files (e.g., the full Dependencies section duplicates the Prerequisites section and the Tools Reference section). Three sections essentially list the same MCP tools. The structure would benefit from consolidating redundant sections and pushing more detail to references. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- RHEcosystemAppEng/agentic-collections
- Commit
27852c0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.