addressing-dependabot
Addresses GitHub Dependabot security alerts by listing open alerts, identifying affected Python/uv, frontend npm, and Titus Go projects, upgrading vulnerable dependencies, running verification, and committing fixes. Use when the user wants to fix Dependabot alerts, upgrade vulnerable packages, or address security vulnerabilities found by Dependabot.
91
88%
Does it follow best practices?
Impact
98%
1.13xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (listing alerts, identifying affected projects by ecosystem, upgrading, verifying, committing), includes natural trigger terms users would use, and provides explicit 'Use when' guidance. The description is well-scoped to Dependabot-specific workflows, making it highly distinctive and unlikely to conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: listing open alerts, identifying affected projects across specific ecosystems (Python/uv, npm, Go), upgrading vulnerable dependencies, running verification, and committing fixes. | 3 / 3 |
Completeness | Clearly answers both 'what' (listing alerts, identifying affected projects, upgrading dependencies, running verification, committing fixes) and 'when' with an explicit 'Use when...' clause specifying three trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'Dependabot alerts', 'vulnerable packages', 'security vulnerabilities', 'fix Dependabot alerts', 'upgrade vulnerable packages'. Covers the main ways users would phrase requests about this topic. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: specifically targets GitHub Dependabot security alerts across named ecosystems (Python/uv, npm, Go). The Dependabot-specific focus makes it unlikely to conflict with general dependency management or security scanning skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill with excellent workflow clarity including approval gates, validation checkpoints, and feedback loops. The main weakness is its length — while nearly all content is useful, the monolithic structure could benefit from splitting ecosystem-specific details into separate files. The skill demonstrates deep domain knowledge of the specific monorepo's structure and tooling.
Suggestions
Consider splitting ecosystem-specific update strategies (Python/npm/Go sections in Steps 3-4) into separate reference files to reduce the main skill's token footprint.
Consolidate the three identical 'Use request_user_input when available; otherwise ask a direct concise question' instructions into a single note at the top to reduce repetition.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly long but most content earns its place — specific commands, ecosystem-specific strategies, and troubleshooting are all necessary. However, some sections are slightly repetitive (e.g., the GATE instructions are repeated verbatim three times, and the 'request_user_input' phrasing appears multiple times). The project paths reference list and some explanatory text could be tightened. | 2 / 3 |
Actionability | Excellent actionability throughout — every step has concrete, executable bash commands, specific file paths, and copy-paste ready code. The skill covers direct vs transitive dependencies for each ecosystem with precise commands, includes verification commands, and provides specific troubleshooting solutions with exact commands. | 3 / 3 |
Workflow Clarity | The workflow is clearly sequenced with numbered steps, two explicit approval gates, a feedback loop for test/lint failures, and a verification checklist. The error recovery path (investigate → fix → re-run) is explicit, and the commit step specifies exactly which files to include per ecosystem. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and logical sections, but it's a monolithic ~250-line file with no references to external files. The ecosystem-specific update strategies (Python, npm, Go) and troubleshooting could be split into separate reference files to keep the main skill leaner. However, given no bundle files exist, this is somewhat expected. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- SpecterOps/Nemesis
- Commit
432d081
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.