cpg-analysis
Deep code property graph analysis with Joern CPG (AST+CFG+PDG) and CodeQL for control flow, data flow, taint analysis, and security auditing
52
57%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/cpg-analysis/SKILL.mdQuality
Discovery
50%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is technically specific and names concrete tools and analysis techniques, making it highly distinctive. However, it completely lacks a 'Use when...' clause, which is critical for Claude to know when to select this skill. It also leans heavily on technical jargon that users may not naturally use when requesting help.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for static code analysis, vulnerability detection, taint tracking, or mentions Joern or CodeQL.'
Include more natural user-facing trigger terms such as 'find vulnerabilities', 'static analysis', 'code security scan', 'SAST', or 'source code audit' to improve discoverability.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'code property graph analysis', 'control flow', 'data flow', 'taint analysis', and 'security auditing'. Also names specific tools (Joern CPG, CodeQL) and graph components (AST+CFG+PDG). | 3 / 3 |
Completeness | The description answers 'what does this do' reasonably well but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause should cap completeness at 2, and since the 'when' is entirely absent, this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes good technical keywords like 'Joern', 'CodeQL', 'taint analysis', 'control flow', 'data flow', 'security auditing', and 'CPG'. However, these are fairly specialized terms; common user phrases like 'find vulnerabilities', 'code security scan', 'static analysis', or 'SAST' are missing. | 2 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific tool names (Joern CPG, CodeQL) and the specialized domain of code property graph analysis. Unlikely to conflict with generic code review or security skills. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides strong actionable guidance with concrete queries, tool references, and configuration examples for both Joern and CodeQL. Its main weaknesses are moderate verbosity (explaining CPG components Claude already knows, redundant tier comparison tables) and a monolithic structure that would benefit from splitting detailed query references and configuration into separate files. The combined workflow lacks explicit validation checkpoints and error recovery steps.
Suggestions
Remove the CPG component diagram explaining what AST/CFG/DDG are — Claude knows these concepts. Replace with a one-line summary like 'Joern builds a full CPG (AST+CFG+CDG+DDG+PDG) enabling structural, flow, and dependency queries.'
Add explicit validation and error recovery steps to the combined workflow, e.g., 'After step 3, verify CFG output covers expected paths; if CPG is stale, rebuild with generate_cpg before proceeding.'
Split detailed CPGQL query examples and CodeQL patterns into separate reference files (e.g., CPGQL_QUERIES.md, CODEQL_PATTERNS.md) and reference them from SKILL.md to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The CPG component breakdown diagram explains concepts Claude already knows (what AST, CFG, DDG stand for). The tier selection guide and 'When to Use' tables have some redundancy between them. The anti-patterns section adds value but the overall content could be tightened by ~30%. | 2 / 3 |
Actionability | Provides executable CPGQL queries, concrete CodeQL query examples, specific MCP tool names with purposes, exact configuration JSON, and installation commands. The guidance is copy-paste ready and specific enough to act on immediately. | 3 / 3 |
Workflow Clarity | The combined workflow provides a clear 5-step sequence, but lacks explicit validation checkpoints and error recovery. There's no feedback loop for when CPG build fails, when queries return unexpected results, or when CodeQL database creation encounters issues. The 'always verify CPG is built' note is in anti-patterns rather than integrated into the workflow. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and tables, but it's a monolithic ~180-line file with no references to supporting files. The detailed CPGQL query examples, CodeQL patterns, and configuration details could be split into separate reference files, keeping SKILL.md as a concise overview with pointers. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- alinaqi/claude-bootstrap
- Commit
7e5f7a2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.