dependencies-audit
MUST be used whenever fixing dependency issues in a Flows app. This skill finds AND fixes vulnerabilities, outdated packages, deprecated dependencies, and license issues — it does not just report them. Triggers: dependencies, packages, fix dependencies, update packages, fix vulnerabilities, npm audit fix, pnpm audit fix, CVE fix, outdated, deprecated, supply chain, license.
87
88%
Does it follow best practices?
Impact
79%
1.88xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly communicates what the skill does (finds and fixes dependency vulnerabilities, outdated packages, deprecated dependencies, and license issues), when to use it (dependency issues in a Flows app), and includes comprehensive trigger terms. The explicit distinction that it fixes rather than just reports issues adds valuable clarity. The use of third person voice and concise structure make it effective for skill selection.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: finds AND fixes vulnerabilities, outdated packages, deprecated dependencies, and license issues. Also clarifies it doesn't just report them, which adds specificity about the skill's behavior. | 3 / 3 |
Completeness | Clearly answers both 'what' (finds and fixes vulnerabilities, outdated packages, deprecated dependencies, license issues in a Flows app) and 'when' (whenever fixing dependency issues, with explicit trigger terms listed). The 'MUST be used whenever' clause serves as a strong explicit trigger. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'dependencies', 'packages', 'fix dependencies', 'update packages', 'fix vulnerabilities', 'npm audit fix', 'pnpm audit fix', 'CVE fix', 'outdated', 'deprecated', 'supply chain', 'license'. These cover both natural language and tool-specific terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — scoped specifically to 'Flows app' dependency issues, with clear niche triggers like 'npm audit fix', 'pnpm audit fix', 'CVE fix', and 'supply chain'. The domain-specific scoping and explicit trigger list make it unlikely to conflict with general coding or other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a thorough, highly actionable skill with excellent workflow clarity — every step has concrete commands, clear fix instructions, and validation checkpoints with feedback loops. The main weakness is length; at ~250 lines with repeated verification patterns and verbose bash scripts, it could be more token-efficient. The progressive disclosure is adequate for a standalone file but the density suggests some content could be externalized.
Suggestions
Extract the repeated 'run pnpm install && pnpm run build to verify' pattern into a single named checkpoint referenced throughout, reducing repetition across 5+ steps.
Consider moving the full review-packages.md template (Step 7) and the batch lookup scripts (Step 2) into separate referenced files to reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is quite long (~250 lines) with some redundancy — the repeated 'run pnpm install and pnpm run build to verify' pattern appears in nearly every step, and some bash scripts could be more compact. However, most content is genuinely instructive and not explaining things Claude already knows. The verbosity is moderate, not egregious. | 2 / 3 |
Actionability | Every step includes executable bash/node commands, specific package manager commands (pnpm update, pnpm audit fix, pnpm overrides), concrete JSON configuration examples, and clear criteria tables. The code is copy-paste ready and covers both the happy path and edge cases like transitive dependency overrides. | 3 / 3 |
Workflow Clarity | The 8-step workflow is clearly sequenced with explicit validation checkpoints — each fix step includes 're-run audit to confirm' and 'run build to verify nothing breaks' feedback loops. Error recovery is addressed (revert major updates that break builds, note as manual-fix items). The final steps capture post-fix state and report remaining issues. | 3 / 3 |
Progressive Disclosure | The content is a monolithic single file with no references to supporting documents, which is understandable given no bundle files exist. However, at ~250 lines with detailed scripts for 8 steps, some content (like the batch lookup scripts or the full output template) could benefit from being split into referenced files. The section structure with clear headers is good but the file is dense. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata.version' is missing | Warning |
Total | 9 / 11 Passed | |
- Repository
- cognitedata/builder-skills
- Commit
d6af887
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.