CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-sbom-for-supply-chain-vulnerabilities

Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A thorough, actionable skill body with executable code and a clear 7-step workflow, but it is over-long for the context window, duplicates the API reference already in references/, and lacks explicit validation/retry checkpoints for batch NVD operations.

Suggestions

Trim the 'Key Concepts' glossary and explanatory prose (SBOM/CycloneDX/SPDX/NVD definitions, transitive-dependency recaps) that Claude already knows; keep only non-obvious domain terms to improve conciseness.

Add explicit validation checkpoints and error-recovery loops for the batch workflow — e.g., validate SBOM schema before parsing, and retry with backoff on NVD rate-limit (403/429) responses — so workflow clarity is not capped at 2.

Move the inline NVD/CycloneDX/SPDX/syft/grype API detail into references/api-reference.md and replace it in the body with a signaled one-level link (e.g., 'See [api-reference.md](references/api-reference.md)'), avoiding duplication and improving progressive disclosure.

DimensionReasoningScore

Conciseness

Core content is concrete and useful, but it is padded with a 'Key Concepts' glossary defining SBOM/CycloneDX/SPDX/PURL/CPE/NVD and explanatory prose such as 'Transitive dependency analysis identifies components that are not directly included but are pulled in through dependency chains.' Not 3 because of this unnecessary explanation Claude already knows; not 1 because the bulk is actionable rather than vague.

2 / 3

Actionability

Provides fully executable syft/grype commands ('syft alpine:latest -o cyclonedx-json > sbom-cyclonedx.json', 'grype sbom:sbom-cyclonedx.json --only-fixed --fail-on critical') and copy-paste Python for NVD queries and networkx graph building. Not 2 because the code is real and complete rather than pseudocode or abstract direction.

3 / 3

Workflow Clarity

Seven clearly sequenced steps (Generate → Parse → Correlate → Build graph → Score → Cross-validate → Report), but no explicit validation checkpoints or error-recovery loops for batch NVD operations (no rate-limit retry/backoff, no SBOM-schema validation before parsing). Not 3 because missing feedback loops in batch operations cap it; not 1 because the sequence is clear and grype cross-validation provides some verification.

2 / 3

Progressive Disclosure

The body keeps detailed API-reference content inline (NVD API usage, CycloneDX/SPDX JSON structures, syft/grype commands) that duplicates references/api-reference.md, and never signals or links the bundle files (api-reference.md, agent.py). Not 3 because references are not signaled and content is not split out; not 1 because sections are well-organized rather than a monolithic wall or nested references.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that clearly states multiple concrete capabilities and provides an explicit activation clause with natural trigger terms. It is distinctive within the security domain and unlikely to conflict with other skills.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats... correlating components against the NVD CVE database', then 'Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports.' Not 2 because it enumerates many specific actions rather than naming only a domain and a few.

3 / 3

Completeness

Answers both what (parses/correlates/builds/calculates/generates) and when via the explicit trigger clause 'Activates for requests involving...'. Not 2 because the 'when' is explicit rather than only implied, satisfying the 'Use when...' equivalent requirement.

3 / 3

Trigger Term Quality

Natural terms a security user would actually say: 'SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.' Not 2 because coverage is broad and matches real-world phrasing rather than single generic keywords.

3 / 3

Distinctiveness Conflict Risk

Narrow supply-chain/SBOM niche with distinct triggers (CycloneDX/SPDX parsing, CVE correlation) unlikely to fire for unrelated skills. Not 2 because the niche is specific and the triggers are distinctive rather than overlapping with general scanning skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.