analyzing-dependencies
This skill analyzes project dependencies for security vulnerabilities, outdated packages, and license compliance issues. It helps identify potential risks in your project's dependencies using the dependency-checker plugin. Use this skill when you need to check dependencies for vulnerabilities, identify outdated packages that need updates, or ensure license compatibility. Trigger phrases include "check dependencies", "dependency check", "find vulnerabilities", "scan for outdated packages", "/depcheck", and "license compliance". This skill supports npm, pip, composer, gem, and go modules projects.
92
53%
Does it follow best practices?
Impact
96%
1.09xAverage score across 12 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/dependency-checker/skills/dependency-checker/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly communicates what the skill does, when to use it, and includes natural trigger terms. The only minor issue is the use of second person ('your project's dependencies') which the rubric penalizes, but the description is otherwise well-structured and comprehensive. It covers specific actions, explicit trigger phrases, and supported ecosystems, making it highly distinguishable.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzes dependencies for security vulnerabilities, identifies outdated packages, checks license compliance issues. Also specifies supported ecosystems (npm, pip, composer, gem, go modules). | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes dependencies for vulnerabilities, outdated packages, license compliance) and 'when' (explicit 'Use this skill when...' clause with specific trigger phrases listed). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'check dependencies', 'find vulnerabilities', 'scan for outdated packages', 'license compliance', '/depcheck', plus mentions specific package managers (npm, pip, composer, gem, go modules) that users would reference. | 3 / 3 |
Distinctiveness Conflict Risk | Has a clear niche focused on dependency security analysis, vulnerability scanning, and license compliance. The specific trigger phrases and supported package managers make it unlikely to conflict with general code analysis or other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a marketing description rather than actionable instructions for Claude. It lacks any concrete commands, code examples, or tool invocations, instead describing what the skill 'will do' in abstract terms. The content is padded with generic best practices and explanations of concepts Claude already understands, wasting token budget without providing executable guidance.
Suggestions
Replace abstract descriptions with concrete, executable commands showing how to invoke the dependency-checker plugin (e.g., exact CLI commands or tool calls with parameters).
Remove the 'Best Practices', 'Integration', and 'When to Use This Skill' sections entirely — these explain things Claude already knows and waste tokens.
Add actual example outputs (e.g., a sample vulnerability report JSON/table) so Claude knows the expected output format.
Include validation steps and error handling — what to do when the plugin fails, when no manifest file is found, or when results need human review.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is highly verbose, explaining concepts Claude already knows (what package managers are, what CVEs are, what manifest files are). Sections like 'How It Works', 'When to Use This Skill', 'Best Practices', and 'Integration' are padded with generic advice that doesn't add actionable value. The 'Overview' restates the description unnecessarily. | 1 / 3 |
Actionability | There are no concrete commands, executable code, or specific tool invocations. The examples describe what the skill 'will do' in abstract terms rather than showing actual commands or plugin usage. There's no indication of how to actually invoke the 'dependency-checker plugin' or what its API/CLI looks like. | 1 / 3 |
Workflow Clarity | The steps listed are abstract descriptions ('Detect the relevant package manager', 'Scan the project's dependencies') with no concrete commands, validation checkpoints, or error recovery. There's no guidance on what to do if scanning fails or how to verify results. | 1 / 3 |
Progressive Disclosure | The content is organized into sections with headers, which provides some structure. However, there are no references to external files, and content that could be split out (e.g., per-package-manager details) is neither inline nor referenced. No bundle files exist to support deeper content. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.