scanning-container-security
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill scanning-container-securityExecute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
Validation
81%| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 13 / 16 Passed | |
Implementation
7%This skill is a generic template with no container security-specific content. It reads like a project management checklist that could apply to any IT task, completely failing to provide actionable guidance for vulnerability scanning, image analysis, or security remediation. The skill wastes tokens on obvious advice while omitting essential details like specific tools (trivy, grype, clair), scan commands, CVE interpretation, or remediation workflows.
Suggestions
Replace generic steps with specific container security commands (e.g., `trivy image nginx:latest`, `grype alpine:3.18`) and show example output interpretation
Add concrete vulnerability scanning workflow: pull image → scan → parse results → prioritize CVEs → remediate → rescan
Include actual code examples for integrating scanners into CI/CD pipelines or parsing scan results programmatically
Remove all generic advice Claude already knows (backup data, test in staging, monitor for issues) and focus only on container security-specific guidance
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with generic boilerplate that applies to any task. Explains obvious concepts like 'backup critical data' and 'test in staging first' that Claude already knows. No container security-specific content justifies the token count. | 1 / 3 |
Actionability | Entirely abstract and vague with no concrete commands, tools, or code. Phrases like 'Run comprehensive tests' and 'Execute implementation' provide zero executable guidance. No actual container security scanning commands, tools (trivy, grype, etc.), or specific vulnerability detection steps. | 1 / 3 |
Workflow Clarity | Steps are generic project management phases, not container security workflows. No validation checkpoints specific to security scanning, no feedback loops for vulnerability remediation, and no clear sequence for actual scanning operations. | 1 / 3 |
Progressive Disclosure | References external files in a structured Resources section with clear paths, but the main content is a monolithic wall of generic text. The referenced files use template placeholders ({baseDir}) suggesting they may not exist, and the skill body itself lacks meaningful content to disclose progressively. | 2 / 3 |
Total | 5 / 12 Passed |
Activation
82%This description has good trigger term coverage and completeness with explicit 'Use when' and 'Trigger with' guidance. However, it lacks specificity in describing concrete capabilities (what types of scans? what vulnerabilities? what compliance frameworks?) and the broad security domain creates moderate conflict risk with other potential security-related skills.
Suggestions
Add specific concrete actions like 'Scans code for OWASP vulnerabilities, checks dependency CVEs, validates compliance against SOC2/HIPAA frameworks'
Narrow the scope to reduce conflict risk - specify whether this is for code security, infrastructure security, or compliance auditing specifically
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (security and compliance) and mentions some actions like 'security scanning', 'vulnerability detection', and 'automation', but lacks concrete specific actions like what types of scans, what controls, or what audit outputs. | 2 / 3 |
Completeness | Explicitly answers both what ('security scanning and vulnerability detection with comprehensive guidance and automation') and when ('Trigger with phrases like...' provides explicit trigger guidance). | 3 / 3 |
Trigger Term Quality | Includes natural trigger phrases users would say: 'scan for vulnerabilities', 'implement security controls', 'audit security'. These are realistic user requests that would help Claude select this skill. | 3 / 3 |
Distinctiveness Conflict Risk | 'Security and compliance' is a broad domain that could overlap with other security-related skills. While the trigger phrases help narrow scope, terms like 'security controls' and 'audit' could conflict with more specialized compliance or infrastructure skills. | 2 / 3 |
Total | 10 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.