vulnerability-resolver
Specialized CVE and vulnerability management for morphir-dotnet. Use when user asks to scan for vulnerabilities, fix CVEs, suppress false positives, review security reports, or manage dependency-check. Triggers include "CVE", "vulnerability", "security scan", "dependency-check", "suppress", "false positive", "CVSS", "security fix".
67
81%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope (CVE/vulnerability management for a specific project), lists concrete actions, provides explicit 'Use when' guidance, and includes a comprehensive set of trigger terms. It follows third-person voice and is concise without unnecessary padding. It serves as a near-ideal example of a well-crafted skill description.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: scan for vulnerabilities, fix CVEs, suppress false positives, review security reports, manage dependency-check. These are clear, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (CVE and vulnerability management for morphir-dotnet) and 'when' (explicit 'Use when' clause with specific scenarios plus a 'Triggers include' list). Both dimensions are well-covered. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'CVE', 'vulnerability', 'security scan', 'dependency-check', 'suppress', 'false positive', 'CVSS', 'security fix'. These are terms users would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the combination of project-specific scope ('morphir-dotnet') and security-specific terminology ('CVE', 'CVSS', 'dependency-check', 'suppress false positives'). Very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is highly actionable with excellent workflow clarity, providing concrete commands, XML templates, and well-structured multi-phase playbooks with validation checkpoints. However, it is severely bloated — easily 3-4x longer than necessary — with redundant decision trees, verbose explanations of concepts Claude already understands (CVSS severity levels, what false positives are), and content that should be split into separate referenced files rather than inlined. The skill would benefit enormously from aggressive trimming and splitting into a concise overview with referenced detail files.
Suggestions
Cut the content by 60-70%: remove the 'Primary Responsibilities' role description, CVSS severity definitions, and redundant decision trees (the same fix-vs-suppress logic appears in at least 3 places).
Move the Pattern Catalog, Playbooks, and Automation Scripts sections into separate referenced files (e.g., PATTERNS.md, PLAYBOOKS.md, SCRIPTS.md) and keep only a brief summary with links in SKILL.md.
Remove explanatory text that describes what Claude already knows — e.g., 'PDF (Portable Document Format)'-style explanations like 'CPE (Common Platform Enumeration) matching uses broad patterns' and 'Binary scanning reads assembly version (embedded in DLL)'.
Consolidate the three overlapping decision trees ('A CVE scan failed', 'Should I suppress or fix?', 'How do I verify a false positive?') into a single concise decision tree or flowchart.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~500+ lines. Extensively explains concepts Claude already knows (what CVSS scores mean, what false positives are, how decision trees work). The 'Primary Responsibilities' and 'Core Competencies' sections describe Claude's role back to it unnecessarily. Multiple decision trees repeat the same logic in different formats. The pattern catalog, playbooks, and review sections could be dramatically condensed. | 1 / 3 |
Actionability | Provides fully executable bash commands (gh workflow run, dotnet commands), complete XML suppression templates with proper structure, concrete file paths, and specific package update examples. Commands are copy-paste ready and cover the full workflow from scanning to fixing to verifying. | 3 / 3 |
Workflow Clarity | Multi-step processes are clearly sequenced with explicit phases (Phase 1-4 in playbooks), validation checkpoints (re-run scan to verify fix, run tests for regressions), and feedback loops (fix → validate → if errors fix again). The decision trees provide clear branching logic for different scenarios. Destructive operations like package updates include verification steps. | 3 / 3 |
Progressive Disclosure | References scripts/, templates/, and related files, but no bundle files are provided to verify they exist. The SKILL.md itself is monolithic — the pattern catalog, all four playbooks, automation script docs, integration points, and review capability sections are all inline when they could be split into separate files. The 'Related Resources' section at the end provides good navigation but the body content that should be in referenced files is all crammed into the main document. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (734 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- finos/morphir-dotnet
- Commit
7c0c06d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.