cve-impact

**CRITICAL**: Use for ALL CVE discovery and listing. DO NOT call get_cves directly. Use when: "show critical CVEs", "CVEs on hostname X", "remediatable vulnerabilities", "impact of CVE-X", risk assessment. NOT for remediation (use `/remediation`). System-level: FIRST reply = pagination prompt (Step -1). Parsing: references/01-cve-response-parser.py.

Quality

—

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-gated workflow body weakened by significant duplication and by broken 'Document Consultation' references to docs/ files that are absent from the bundle. Consolidating the repeated HITL/validator/tool content and fixing or removing the dead references would materially raise quality.

Suggestions

De-duplicate the HITL pagination prompt (currently repeated in Step -1 and the post-Step-1 'CRITICAL' section) and the MCP tool/validator lists (Prerequisites, Dependencies, Tools Reference) into single authoritative locations.

Fix the broken 'Document Consultation (REQUIRED)' references — docs/references/cvss-scoring.md, docs/insights/insights-api.md, docs/insights/fleet-management.md, docs/insights/vulnerability-logic.md, docs/references/skill-invocation.md, and ../mcp-lightspeed-validator/SKILL.md do not exist in the bundle; either add the files or remove/redirect the instructions.

Move the inline CVE-metadata and affected-systems output templates (Steps 2-5) into references/03-output-templates.md and reference them, instead of duplicating the templates inline.

Dimension	Reasoning	Score
Conciseness	The body is operational and avoids explaining concepts Claude already knows, but repeats the same HITL pagination prompt nearly verbatim three times, restates validator instructions three times, and lists the MCP tools three times (Prerequisites, Dependencies, Tools Reference) — material that should be de-duplicated.	2 / 3
Actionability	Provides copy-paste-ready HITL prompts, concrete MCP tool names with exact parameters, and executable parser commands with real filter env vars (FILTER_REMEDIATABLE=1, OUTPUT=report) — fully actionable guidance.	3 / 3
Workflow Clarity	Steps -1 through 7 are clearly sequenced with an explicit mandatory HITL gate, MCP validation with PASS/PARTIAL/FAILED feedback loops, and stated anti-patterns; the batch pagination operation has a validation checkpoint, avoiding the batch-operation cap.	3 / 3
Progressive Disclosure	Existing references/ files are well-signaled one level deep via the Reference Files table and flows/, but six docs/ paths marked 'Document Consultation (REQUIRED)' (e.g. docs/references/cvss-scoring.md, docs/insights/insights-api.md) and ../mcp-lightspeed-validator/SKILL.md are broken (verified missing from the bundle), and output templates are duplicated inline rather than delegated.	2 / 3
	Total	10 / 12 Passed

Description

90%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, trigger-rich description with explicit what/when guidance and good distinctiveness. The main weakness is directive/imperative voice in the capability clause rather than clean third-person phrasing.

Dimension	Reasoning	Score
Specificity	Names concrete capabilities ('CVE Discovery and listing', 'Parsing: references/01-cve-response-parser.py', 'risk assessment') but phrases them as directives ('Use for ALL CVE Discovery', 'DO NOT call get_cves directly') rather than third-person capability voice, triggering the rubric's -1 voice penalty.	2 / 3
Completeness	Explicitly answers what (CVE discovery/listing/parsing) and when (a concrete 'Use when' trigger list), plus a negative trigger ('NOT for remediation (use /remediation)'), satisfying both halves with explicit guidance.	3 / 3
Trigger Term Quality	The 'Use when' clause lists natural SRE phrasings — 'show critical CVEs', 'CVEs on hostname X', 'remediatable vulnerabilities', 'impact of CVE-X' — covering common variations a user would actually say.	3 / 3
Distinctiveness Conflict Risk	The explicit 'NOT for remediation (use /remediation)' disambiguation plus CVE-specific triggers carve a clear niche unlikely to fire for the wrong skill.	3 / 3
	Total	11 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 13 / 16 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning
relative_links	Relative link issues: 14 missing, 17 deeper-than-1-level, 2 suspicious	Warning
referenced_paths_exist	Referenced path issues: 3 deeper-than-1-level	Warning

	Total	13 / 16 Passed

Repository: RHEcosystemAppEng/agentic-collections
Commit: 523e305

Reviewed: 7 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.