CtrlK
BlogDocsLog inGet started
Tessl Logo

scanning-container-security

Execute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".

66

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

80%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is concise, well-structured, and actionable with concrete scanner commands and a useful error-handling table, but it lacks explicit validation checkpoints in its workflow and fails to point to the bundled scripts that exist alongside it.

Suggestions

Add explicit validation/verification checkpoints to the numbered workflow (e.g., after scanning, verify findings parsed with jq and gate CI on Critical/High before proceeding) to lift workflow clarity.

Reference the bundled scripts from the body (e.g., 'For repeatable runs, see scripts/trivy_scan.py and scripts/snyk_scan.py') so the existing bundle is discoverable and one level deep.

Reconcile the scripts/README.md (which lists nonexistent .sh files) with the actual .py scripts to avoid signaling references that do not exist.

DimensionReasoningScore

Conciseness

The body is lean, assumes Claude's competence, and avoids explaining concepts Claude already knows; it does not reach verbosity because every section earns its place with concrete commands and tables rather than padded prose.

3 / 3

Actionability

It gives concrete, executable commands such as 'trivy image <image:tag>', 'grype <image:tag>', 'hadolint Dockerfile', and 'trivy image --scanners secret <image:tag>', plus specific flags, matching the fully executable level-3 anchor.

3 / 3

Workflow Clarity

The numbered Instructions sequence provides an order, but it lacks explicit validation checkpoints between steps; per the rubric, missing validation/verification steps in a batch scanning workflow caps workflow clarity at 2, even though the error-handling table offers reactive fixes.

2 / 3

Progressive Disclosure

The single SKILL.md is well-organized into clear sections, but it never references the bundled scripts in ./scripts/ (trivy_scan.py, snyk_scan.py), and the scripts README lists .sh files that do not actually exist, so the bundle is present but not clearly signaled or navigated — matching the level-2 anchor.

2 / 3

Total

10

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description clearly states what the skill does and when to trigger it with natural, user-friendly phrases, but its capability list is only partially specific and its broad 'security and compliance' framing leaves some overlap risk with other security skills.

Suggestions

Replace the generic 'security and compliance' opening with container-specific actions (e.g., 'Scan container images and Dockerfiles for vulnerabilities, misconfigurations, and compliance violations') to sharpen specificity and distinctiveness.

List several concrete actions in the description itself (e.g., scan OS packages, lint Dockerfiles, detect baked-in secrets, check CIS Docker Benchmark) rather than summarizing as 'scanning and detection'.

Tighten the description prose; the folded multiline with a dangling 'Trigger with phrases like ... or "audit security".' line is awkward and could be a single concise sentence.

DimensionReasoningScore

Specificity

It names the domain ('security and compliance') and a couple of actions ('security scanning and vulnerability detection') but does not list multiple distinct concrete actions, matching the 'names domain and some actions, but not comprehensive' anchor rather than the level-3 list of several specific actions.

2 / 3

Completeness

It explicitly answers both what ('security scanning and vulnerability detection with comprehensive guidance and automation') and when ('Execute use when you need to work with security and compliance' plus explicit trigger phrases), satisfying the level-3 anchor for both what and when.

3 / 3

Trigger Term Quality

Phrases like 'scan for vulnerabilities', 'implement security controls', and 'audit security' are natural terms a user would say, giving good coverage; it is above level 2 because it lists several common variations rather than a single keyword.

3 / 3

Distinctiveness Conflict Risk

The opening 'security and compliance' framing is broad and could overlap with other security skills, so it lands at the 'somewhat specific but could still overlap' anchor rather than the clearly distinct level-3 niche, even though the trigger phrases are reasonably specific.

2 / 3

Total

10

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.