analyzing-sbom-for-supply-chain-vulnerabilities
Parses Software Bill of Materials (SBOM) in CycloneDX and SPDX JSON formats to identify supply chain vulnerabilities by correlating components against the NVD CVE database via the NVD 2.0 API. Builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. Activates for requests involving SBOM analysis, software composition analysis, supply chain security assessment, dependency vulnerability scanning, CycloneDX/SPDX parsing, or CVE correlation.
70
63%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-sbom-for-supply-chain-vulnerabilities/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (SBOM parsing, dependency graph building, risk scoring, compliance reporting), uses domain-appropriate trigger terms that users would naturally employ, and includes an explicit activation clause. The description is well-structured, uses third person voice throughout, and occupies a highly distinctive niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parses SBOM in CycloneDX/SPDX JSON formats, correlates against NVD CVE database via NVD 2.0 API, builds dependency graphs, calculates risk scores, identifies transitive vulnerability paths, and generates compliance reports. | 3 / 3 |
Completeness | Clearly answers both 'what' (parses SBOMs, builds dependency graphs, calculates risk scores, generates compliance reports) and 'when' with an explicit 'Activates for requests involving...' clause listing specific trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'SBOM analysis', 'software composition analysis', 'supply chain security', 'dependency vulnerability scanning', 'CycloneDX', 'SPDX', 'CVE correlation'. These cover the main terms a user in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a very specific niche: SBOM parsing in CycloneDX/SPDX formats, NVD CVE correlation, supply chain vulnerability analysis. This is unlikely to conflict with other skills due to its specialized domain and precise terminology. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill covers a comprehensive workflow for SBOM vulnerability analysis but suffers significantly from verbosity - it explains many concepts Claude already knows (SBOM definitions, what NVD is, what transitive dependencies are) and includes a full glossary table. The actionability is moderate with some executable code but key steps like SBOM parsing and risk calculation lack complete implementations. The monolithic structure with no external file references makes it poorly suited for the SKILL.md format.
Suggestions
Remove the Key Concepts glossary table and Tools & Systems section entirely - Claude knows these concepts and can look them up. This alone would save ~40 lines.
Move the JSON structure examples for CycloneDX and SPDX formats into a separate SBOM_FORMATS.md reference file, keeping only a brief note about supported formats in the main skill.
Add explicit validation checkpoints: verify SBOM parse succeeded (component count > 0), handle NVD API rate limit errors with retry logic, and define what to do when grype results differ from NVD-only results.
Provide a complete, executable Python script that ties together parsing, NVD querying, graph building, and report generation rather than disconnected code fragments and pseudocode.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~200+ lines. It explains concepts Claude already knows (what SBOM, PURL, CPE, NVD, transitive dependencies are), includes a full glossary table, lengthy JSON structure examples for both formats, and describes what syft supports. The Tools & Systems section is largely unnecessary filler. Much of this could be cut by 60%+ without losing actionable value. | 1 / 3 |
Actionability | Provides some concrete code (NVD API queries, networkx graph building, bash commands for syft/grype) but the code is incomplete - there's no unified script that ties parsing, querying, graph building, and reporting together. The risk score calculation is pseudocode/text rather than executable code. The SBOM parsing step shows JSON structures but no actual parsing code. | 2 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced and logically ordered. However, it lacks explicit validation checkpoints - there's no verification that the SBOM parsed correctly, no error handling for NVD API failures or rate limiting, no validation of the dependency graph construction, and no feedback loops for when cross-validation with grype reveals discrepancies. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. The JSON structure examples, glossary table, tools list, and detailed scenario could all be split into separate reference files. Everything is inline in one massive document with no navigation aids or cross-references. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.