vulnerability-scanner
Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
53
41%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.agent/skills/vulnerability-scanner/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear security domain and lists relevant technical topics, but reads more like a keyword list than a functional skill description. It lacks concrete actions Claude would perform and completely omits trigger guidance for when to select this skill. The absence of a 'Use when...' clause significantly limits its utility for skill selection.
Suggestions
Add a 'Use when...' clause with explicit triggers like 'Use when analyzing code for security vulnerabilities, reviewing dependencies for supply chain risks, or when the user mentions OWASP, CVEs, or security audits'
Convert topic labels into concrete actions: instead of 'attack surface mapping', write 'Maps attack surfaces by identifying exposed endpoints and entry points'
Include common user phrases that would trigger this skill: 'security review', 'find vulnerabilities', 'check for security issues', 'dependency audit'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (vulnerability analysis) and lists several specific areas (OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization), but these are topic labels rather than concrete actions Claude would perform. | 2 / 3 |
Completeness | Partially addresses 'what' through topic listing but lacks any explicit 'when' clause or trigger guidance. No 'Use when...' statement is present, and the description doesn't explain what actions Claude should take. | 1 / 3 |
Trigger Term Quality | Includes some relevant technical keywords like 'OWASP', 'Supply Chain Security', 'vulnerability', and 'risk prioritization' that security professionals might use, but missing common variations like 'security audit', 'CVE', 'penetration testing', or 'security scan'. | 2 / 3 |
Distinctiveness Conflict Risk | The security focus with specific frameworks (OWASP 2025) provides some distinction, but 'vulnerability analysis' and 'risk prioritization' are broad enough to potentially overlap with general security or code review skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a comprehensive overview of vulnerability analysis principles with good structural organization using tables and clear sections. However, it leans heavily toward conceptual guidance rather than actionable, executable instructions. The content would benefit from concrete code examples for pattern detection and clearer workflow validation steps.
Suggestions
Add executable code examples for detecting high-risk patterns (e.g., grep/regex commands, AST analysis snippets) rather than just describing what to look for
Include explicit validation checkpoints in the scanning methodology (e.g., 'Verify finding is reproducible before classifying severity')
Move detailed reference content (OWASP categories, cloud security checks, code patterns) to separate files and keep SKILL.md as a concise overview with navigation
Remove explanations of concepts Claude already knows (Zero Trust definition, shared responsibility basics) to improve token efficiency
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient with good use of tables, but includes some conceptual explanations Claude already knows (e.g., Zero Trust definition, basic threat modeling questions, shared responsibility model). The ASCII diagrams and extensive categorization tables add bulk without proportional value. | 2 / 3 |
Actionability | References a script (`scripts/security_scan.py`) but provides no executable code examples for actual vulnerability detection. The content describes what to look for (patterns, categories) but lacks concrete commands, code snippets, or copy-paste ready scanning procedures. The 'High-Risk Patterns' section shows what to find but not how to find it. | 2 / 3 |
Workflow Clarity | The 'Scanning Methodology' section provides a phase-based approach, but lacks explicit validation checkpoints or feedback loops. The prioritization decision tree is helpful, but there's no clear 'validate findings before reporting' step or error recovery guidance for false positives during the scanning process. | 2 / 3 |
Progressive Disclosure | References a checklist file and a script appropriately, but the main document is quite long (~200 lines of content) with sections that could be split into separate reference files (e.g., OWASP details, cloud security, code patterns). The structure is clear but the content density suggests better splitting would help. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- lchenrique/politron-ide
- Commit
7114206
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.