analyzing-sbom-for-supply-chain-vulnerabilities
Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
70
63%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities, provides comprehensive trigger terms covering the supply chain security domain, and explicitly states when it should activate. The description is well-structured with a clear separation between what it does and when it should be used, and its highly specialized domain makes it very distinctive.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parses SBOM in CycloneDX/SPDX JSON formats, correlates against NVD CVE database via NVD 2.0 API, builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. | 3 / 3 |
Completeness | Clearly answers both 'what' (parses SBOMs, builds dependency graphs, calculates risk scores, generates compliance reports) and 'when' with an explicit 'Activates for requests involving...' clause listing specific trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would use: 'SBOM analysis', 'software composition analysis', 'supply chain security', 'dependency vulnerability scanning', 'CycloneDX', 'SPDX', 'CVE correlation'. These are the terms practitioners in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing on SBOM parsing, CycloneDX/SPDX formats, NVD CVE database correlation, and supply chain security. Very unlikely to conflict with other skills due to the specialized domain and specific format/API references. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill covers a complex domain comprehensively but suffers from significant verbosity — it explains many concepts Claude already knows (SBOM definitions, what NVD is, what transitive dependencies are) and includes lengthy JSON structure examples inline. The workflow is logically sequenced but lacks validation checkpoints and error handling, and the code examples are incomplete (mixing executable snippets with pseudocode and example output). The entire content should be restructured with progressive disclosure, moving reference material to separate files.
Suggestions
Remove the 'Key Concepts' glossary table and 'Tools & Systems' descriptions entirely — Claude already knows these concepts and can look them up if needed.
Move the CycloneDX/SPDX JSON structure examples and the detailed scenario into separate reference files (e.g., FORMATS.md, SCENARIOS.md) and link to them from the main skill.
Replace the text-based risk score calculation with executable Python code, and provide a complete end-to-end script that ties parsing, API querying, graph building, and report generation together.
Add explicit validation checkpoints: verify SBOM parses successfully before proceeding, handle NVD API errors/rate limits with retry logic, and validate the dependency graph is connected before calculating risk scores.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what SBOM, PURL, CPE, NVD, transitive dependencies are), includes a full glossary table, lengthy JSON structure examples for both formats, and describes tool capabilities that Claude would already understand. The 'Key Concepts' table and 'Tools & Systems' section are largely unnecessary padding. | 1 / 3 |
Actionability | The skill provides some executable code (NVD API queries, networkx graph building, bash commands for syft/grype) but the code is incomplete — there's no unified script tying the workflow together, the risk score calculation is pseudocode/text rather than executable code, and the SBOM parsing in Step 2 shows only JSON structures without actual parsing code. The report generation step shows only example output, not code to produce it. | 2 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced and logically ordered, but lacks explicit validation checkpoints. There's no error handling guidance (what if NVD API returns errors? what if SBOM parsing fails?), no feedback loops for retrying failed API calls, and no verification step to confirm the final report's accuracy. For a multi-step process involving external API calls and complex data correlation, this is a significant gap. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with no references to external files. The JSON structure examples, glossary, tools list, and detailed scenario could all be split into separate reference files. Everything is inline, making the skill very long and difficult to navigate quickly. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.