dependency-management

Manage third-party libraries, runtimes, and SaaS dependencies. Use this skill when setting an update cadence, responding to security advisories, dealing with deprecated dependencies, evaluating new dependencies, auditing what's installed, or unblocking a dependency upgrade. Triggers on dependency, package update, security patch, lockfile, deprecated, breaking change, supply chain, dependency audit, npm audit, dependabot, renovate. Also triggers when a build breaks after an update or when an advisory is published for a used package.

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, comprehensive dependency management skill with strong actionability and workflow clarity. Its main weakness is length — at ~300 lines it pushes the boundary of what should be in a single SKILL.md, with some sections (failure patterns, risk dimensions) that could be extracted to reference files. The editorial asides and some redundancy between sections reduce token efficiency without adding proportional value.

Suggestions

Extract the '5 risk dimensions' framework and 'Failure patterns' sections into separate reference files to reduce the main SKILL.md length and improve progressive disclosure.

Trim editorial commentary like 'Free packages aren't free' and 'A dependency abandoned a year ago is a liability waiting to surface' — these are stylistic rather than actionable.

Ensure the referenced file `references/upgrade-checklist.md` actually exists in the bundle, or remove the reference if it doesn't.

Dimension	Reasoning	Score
Conciseness	The skill is reasonably well-organized but verbose in places. The '5 risk dimensions' section includes editorial commentary ('A dependency you can't replace is leverage you've granted to its maintainer', 'Free packages aren't free') that doesn't add actionable value. The failure patterns section is extensive and could be tightened. However, most content is genuinely useful and not explaining things Claude already knows.	2 / 3
Actionability	The skill provides concrete, executable commands for auditing (npm audit, pip-audit, bundle audit, npm ls), specific checklists for evaluation and removal, a clear prioritization matrix, and actionable policy templates. The guidance is specific enough to act on immediately across multiple package managers.	3 / 3
Workflow Clarity	The 8-step workflow is clearly sequenced from inventory through automation and periodic audit. Step 4 explicitly includes validation checkpoints (run test suite, smoke-test in staging, watch monitoring). The prioritization matrix in Step 3 provides clear decision criteria. Security response SLAs provide explicit time-bound guidance. The dependency removal checklist includes verification steps.	3 / 3
Progressive Disclosure	The skill references one external file (references/upgrade-checklist.md) which is appropriate, but the bundle shows no files were actually provided, meaning the reference is unverifiable. The main file itself is quite long (~300 lines) and some sections like the detailed failure patterns or the 5 risk dimensions framework could be split into reference files. The 'When NOT to use' cross-references to other skills are helpful for navigation.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that covers all dimensions well. It provides specific concrete actions, comprehensive trigger terms including tool names and situational triggers, explicit 'Use this skill when...' guidance, and a clearly distinct domain. The description is thorough without being padded, and uses proper third-person voice throughout.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: setting update cadence, responding to security advisories, dealing with deprecated dependencies, evaluating new dependencies, auditing installations, and unblocking dependency upgrades.	3 / 3
Completeness	Clearly answers both 'what' (manage third-party libraries, runtimes, and SaaS dependencies with specific actions listed) and 'when' (explicit 'Use this skill when...' clause plus detailed trigger terms and situational triggers).	3 / 3
Trigger Term Quality	Excellent coverage of natural terms users would say: 'dependency', 'package update', 'security patch', 'lockfile', 'deprecated', 'breaking change', 'npm audit', 'dependabot', 'renovate', plus situational triggers like 'build breaks after an update' and 'advisory is published'.	3 / 3
Distinctiveness Conflict Risk	Clearly carved out niche around dependency management with highly specific triggers like 'lockfile', 'dependabot', 'renovate', 'npm audit', and 'supply chain' that are unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: rampstackco/claude-skills
Commit: c0b6ba8

Reviewed: 5 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.