analyzing-sbom-for-supply-chain-vulnerabilities
Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
56
63%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities, provides comprehensive trigger terms covering natural user language in the supply chain security domain, and explicitly states both what the skill does and when it should activate. The description is concise yet thorough, uses proper third-person voice, and occupies a highly distinctive niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parses SBOM in CycloneDX/SPDX JSON formats, correlates against NVD CVE database via NVD 2.0 API, builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. | 3 / 3 |
Completeness | Clearly answers both 'what' (parses SBOMs, builds dependency graphs, calculates risk scores, generates compliance reports) and 'when' with explicit triggers ('Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'SBOM analysis', 'software composition analysis', 'supply chain security', 'dependency vulnerability scanning', 'CycloneDX', 'SPDX', 'CVE correlation'. These cover the main variations a user in this domain would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing on SBOM parsing, CycloneDX/SPDX formats, NVD CVE correlation, and supply chain security. Very unlikely to conflict with other skills due to the specialized domain and specific format/API references. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill covers a complex, multi-step domain (SBOM vulnerability analysis) with reasonable workflow structure and some useful code snippets, but suffers significantly from verbosity and lack of progressive disclosure. It explains many concepts Claude already knows, includes lengthy JSON schema examples inline, and provides a glossary and tools section that add little actionable value. The code provided is partially executable but incomplete for end-to-end use, and the workflow lacks validation checkpoints critical for operations involving external API calls and data correlation.
Suggestions
Remove the Key Concepts glossary table and Tools & Systems section entirely — Claude already knows these terms and tools. This alone would cut ~40 lines.
Extract the CycloneDX/SPDX JSON structure examples and the detailed scenario into separate reference files (e.g., FORMATS.md, SCENARIOS.md) and link to them from the main skill.
Convert the risk score calculation (Step 5) and report generation (Step 7) from text/template format into executable Python code.
Add explicit validation checkpoints: verify SBOM format before parsing, handle NVD API errors with retry logic, validate CPE matches before proceeding to risk scoring, and add a feedback loop for fuzzy CPE matching failures.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~200+ lines. It includes a glossary table defining terms Claude already knows (SBOM, CPE, NVD, PURL, transitive dependency), a tools & systems section that reads like marketing copy, extensive JSON structure examples for both CycloneDX and SPDX that could be condensed, and explanatory prose throughout (e.g., 'Transitive dependency analysis identifies components that are not directly included but are pulled in through dependency chains'). Much of this is knowledge Claude already possesses. | 1 / 3 |
Actionability | The skill provides some executable code (NVD API queries, networkx graph building, bash commands for syft/grype) but key pieces are incomplete — the SBOM parsing code only shows CycloneDX handling without a unified parser, the risk score calculation is pseudocode/text rather than executable code, and there's no complete end-to-end script. The report generation step is just an example output template with no code to produce it. | 2 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced and logically ordered, but it lacks explicit validation checkpoints. There's no error handling for NVD API failures, no validation of SBOM format before parsing, no feedback loop for when CPE matching fails, and no checkpoint between steps to verify intermediate results. For an operation involving external API calls and complex data correlation, these gaps are significant. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with no references to external files despite being well over 200 lines. The JSON structure examples, glossary table, tools list, and detailed scenario could all be split into separate reference files. There are no bundle files to support progressive disclosure, and the content doesn't reference any external documents for deeper dives. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.