ark-vulnerability-fixer
CVE research and security patch workflow for Ark. Provides CVE API integration, mitigation strategies, and security-focused PR templates. Works with research, analysis, and setup skills for comprehensive vulnerability fixing.
65
52%
Does it follow best practices?
Impact
79%
1.01xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/vulnerability-fixer/SKILL.mdQuality
Discovery
50%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description establishes a clear domain (CVE/security patching for Ark) and mentions several capabilities, but lacks an explicit 'Use when...' clause that would help Claude know exactly when to select this skill. The trigger terms are reasonable but could be more comprehensive, and the relationship to companion skills ('research, analysis, and setup skills') introduces ambiguity about this skill's specific boundaries.
Suggestions
Add an explicit 'Use when...' clause with trigger scenarios, e.g., 'Use when the user asks about CVE lookup, security vulnerabilities, patching known exploits, or creating security-focused pull requests for Ark.'
Clarify the boundary between this skill and the mentioned companion skills (research, analysis, setup) so Claude knows which to select in ambiguous cases.
Include more natural trigger term variations such as 'security fix', 'vulnerability remediation', 'NVD', 'CVE-XXXX', or 'security advisory' to improve matching.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (CVE research, security patches) and some actions (API integration, mitigation strategies, PR templates), but the actions are somewhat high-level rather than listing multiple concrete specific operations like 'query CVE databases, generate patch diffs, create security advisories'. | 2 / 3 |
Completeness | The 'what' is partially covered (CVE API integration, mitigation strategies, PR templates), but there is no explicit 'Use when...' clause or equivalent trigger guidance. The description only implies when it should be used rather than stating it explicitly. | 2 / 3 |
Trigger Term Quality | Includes relevant terms like 'CVE', 'security patch', 'vulnerability', 'mitigation', and 'PR templates', but misses common user variations like 'security fix', 'CVE-XXXX-XXXXX', 'vulnerability scan', 'NVD', or 'security advisory'. The term 'Ark' is project-specific and helpful for disambiguation but not a natural trigger. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'Ark' and 'CVE' helps narrow the scope, but the description itself references working with 'research, analysis, and setup skills' which suggests overlap with other skills in the same ecosystem. The boundaries between this skill and those companion skills are not clearly delineated. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
55%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, well-sequenced guidance for CVE research and security patching with good validation checkpoints and a critical user-approval gate. However, it is excessively verbose—the inline PR templates, commit templates, and mitigation presentation templates bloat the file significantly and should be extracted into separate bundle files. The skill also repeats its composition/relationship information multiple times and explains basic concepts unnecessarily.
Suggestions
Extract the PR template, commit message template, and mitigation presentation template into separate bundle files (e.g., templates/pr-template.md, templates/commit-template.txt, templates/mitigation-report.md) and reference them from the main skill.
Remove the duplicated 'Skill Composition' section—the workflow is already described at the top and doesn't need to be restated in 'Important Notes'.
Trim explanatory text that Claude already knows, such as what CVSS scores are, what the CIRCL API returns, and basic descriptions of Go/Node/Python dependency management.
Consolidate the 'Common Vulnerability Types' section into a concise reference table rather than repeating check/update/scan patterns with explanations for each ecosystem.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It includes extensive template boilerplate (PR templates, commit messages, mitigation presentation templates) that could be in separate files. It also explains concepts Claude already knows (what CVSS scores are, what Go dependencies are, how npm works) and repeats the skill composition information multiple times. | 1 / 3 |
Actionability | The skill provides fully executable, copy-paste ready commands throughout: curl commands for CVE API, grep/find commands for dependency analysis, git commands for branching, go/npm/pip commands for updates, gh pr create with full templates. All code blocks are concrete and executable. | 3 / 3 |
Workflow Clarity | The workflow is clearly sequenced (research → analysis → mitigation planning → user approval gate → clone → implement → verify → PR). It includes explicit validation checkpoints (run tests, build checks, grep for remaining patterns), a mandatory user approval gate before destructive changes, and clear decision points for when to use integration testing vs skip it. | 3 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no bundle files to offload content to. The PR templates, commit message templates, and mitigation presentation templates are all inline and could easily be separate referenced files. The skill references other skills (research, analysis, setup) but has no actual bundle files for its own extensive template content. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- mckinsey/agents-at-scale-ark
- Commit
6b7c761
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.