scanning-for-vulnerabilities
This skill enables comprehensive vulnerability scanning using the vulnerability-scanner plugin. It identifies security vulnerabilities in code, dependencies, and configurations, including CVE detection. Use this skill when the user asks to scan for vulnerabilities, security issues, or CVEs in their project. Trigger phrases include "scan for vulnerabilities", "find security issues", "check for CVEs", "/scan", or "/vuln". The plugin performs static analysis, dependency checking, and configuration analysis to provide a detailed vulnerability report.
90
53%
Does it follow best practices?
Impact
97%
1.03xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/vulnerability-scanner/skills/vulnerability-scanner/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly communicates what the skill does (vulnerability scanning across code, dependencies, and configurations), when to use it (with explicit trigger phrases), and how it works (static analysis, dependency checking, configuration analysis). It uses third-person voice consistently and provides distinct, natural trigger terms that minimize conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'identifies security vulnerabilities in code, dependencies, and configurations', 'CVE detection', 'static analysis, dependency checking, and configuration analysis', and 'detailed vulnerability report'. | 3 / 3 |
Completeness | Clearly answers both 'what' (identifies vulnerabilities via static analysis, dependency checking, configuration analysis) and 'when' (explicit 'Use this skill when...' clause with trigger phrases listed). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'scan for vulnerabilities', 'find security issues', 'check for CVEs', '/scan', '/vuln'. These cover common variations of how users would phrase vulnerability scanning requests. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly occupies a distinct niche around vulnerability scanning and CVE detection. The specific trigger terms like '/scan', '/vuln', 'CVEs' and the focus on security scanning make it unlikely to conflict with general code analysis or other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is almost entirely descriptive rather than instructive. It explains what the vulnerability-scanner plugin does conceptually but never shows how to actually use it—no commands, no configuration syntax, no API calls, no concrete examples of plugin invocation or output format. The content reads like marketing copy rather than an actionable skill file.
Suggestions
Replace the abstract 'How It Works' and example sections with actual plugin invocation syntax, e.g., the exact command or function call to trigger the vulnerability-scanner plugin with specific options.
Add a concrete example showing expected input and output, such as a sample vulnerability report format or JSON schema that the plugin produces.
Remove the 'Overview', 'When to Use', 'Best Practices', and 'Integration' sections entirely—they explain concepts Claude already knows and add no actionable value.
Include validation/verification steps with concrete commands, such as how to verify the scan completed successfully and how to re-scan after remediation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what vulnerability scanning is, what SQL injection is, what npm packages are). The 'How It Works' section describes obvious steps ('activate plugin', 'perform analysis', 'generate report'). The 'When to Use' section repeats the description. The 'Integration' section adds no actionable value. Nearly every section could be cut or drastically shortened. | 1 / 3 |
Actionability | There are no concrete commands, code snippets, API calls, or executable instructions anywhere. The examples describe what the skill 'will do' in abstract terms rather than showing actual plugin invocation syntax, configuration options, or command-line usage. Claude would not know how to actually invoke the vulnerability-scanner plugin from this content. | 1 / 3 |
Workflow Clarity | The steps listed are abstract descriptions ('Activate the vulnerability-scanner plugin', 'Analyze the codebase') with no concrete commands or validation checkpoints. There is no error handling, no feedback loops, and no verification steps. The 'Validate Fixes' best practice mentions re-scanning but doesn't show how. | 1 / 3 |
Progressive Disclosure | The content is organized into logical sections with clear headers, which provides some structure. However, there are no references to external files, no bundle files to reference, and the content is somewhat monolithic with sections that could be trimmed rather than split. The organization is reasonable for a standalone file but contains too much filler content. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.