dependency-audit
Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns. Use when the user mentions 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe,' or needs to check whether their stack has known security issues.
65
78%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/dependency-audit/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope (auditing dependencies and tools for security vulnerabilities), provides an explicit 'Use when' clause, and includes an extensive list of natural trigger terms covering both technical jargon and casual user phrasing. It uses proper third-person voice and is well-structured for disambiguation from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns.' This clearly describes what the skill does with concrete, actionable terms. | 3 / 3 |
Completeness | Clearly answers both 'what' (audit dependencies, frameworks, languages, and dev tools for vulnerabilities, CVEs, and security anti-patterns) and 'when' (explicit 'Use when...' clause with extensive trigger terms and a general fallback condition 'needs to check whether their stack has known security issues'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe.' These cover both technical and conversational phrasings. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear niche around dependency/package security auditing with highly specific trigger terms like 'CVE,' 'npm audit,' 'supply chain security,' and 'security advisory' that are unlikely to conflict with general coding or security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is highly actionable with executable commands and specific vulnerability patterns across many ecosystems, making it a strong practical reference. However, it suffers from being a monolithic document that tries to cover too much inline — the framework-specific checklists alone span 7 frameworks and should be split into separate files. The workflow is sequential but lacks explicit validation checkpoints between steps, which is important for security audit workflows.
Suggestions
Split framework-specific issues (Step 3) into separate reference files (e.g., FRAMEWORKS/nextjs.md, FRAMEWORKS/django.md) and reference them from the main skill with clear navigation links.
Add explicit validation checkpoints between steps, e.g., 'Verify inventory is complete before running audit tools' and 'Cross-reference automated findings with framework-specific checks before generating report.'
Move the output format template to a separate TEMPLATE.md file to reduce the main skill's length and improve progressive disclosure.
Trim framework-specific items that Claude already knows as basic security anti-patterns (e.g., 'eval() with user input', 'DEBUG=True in production') to improve conciseness.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but overly verbose in places. The framework-specific issues section (Step 3) is essentially a massive checklist that could be split into separate reference files. Many items listed (e.g., 'DEBUG=True in production', 'eval() with user input') are things Claude already knows as security anti-patterns. However, the structured checklists do add value as a systematic reference. | 2 / 3 |
Actionability | Provides fully executable audit commands for every major ecosystem (npm audit, pip audit, cargo audit, trivy, etc.), specific CVE references (CVE-2025-29927), concrete code patterns to look for (e.g., `where("column = '#{input}'")`), and a detailed output template. Guidance is specific and copy-paste ready throughout. | 3 / 3 |
Workflow Clarity | The 5-step methodology provides a clear sequence (inventory → automated audit → framework issues → supply chain → CI/CD), but there are no explicit validation checkpoints or feedback loops. For a security audit involving potentially destructive remediation actions, there's no 'verify fix before proceeding' step or error recovery guidance. The output format is well-structured but the workflow lacks verification gates. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text (~200+ lines) with no bundle files and no references to separate documents. The framework-specific issues for 7+ frameworks, supply chain checks, CI/CD security, and output format are all inlined. The framework-specific sections (Step 3) and output template would be much better as separate referenced files. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
2400590
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.