security-scan
Resolve npm dependency vulnerabilities detected by security scans.
74
61%
Does it follow best practices?
Impact
97%
1.25xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./frontend/.claude/skills/security-scan/SKILL.mdQuality
Discovery
57%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear and specific domain (npm dependency vulnerability resolution) which gives it good distinctiveness, but it lacks the depth needed for optimal skill selection. It would benefit from listing concrete actions and adding an explicit 'Use when...' clause with natural trigger terms users would employ.
Suggestions
Add a 'Use when...' clause with explicit triggers, e.g., 'Use when the user mentions npm audit, security vulnerabilities, CVEs, dependabot alerts, or outdated dependencies.'
List specific concrete actions such as 'run npm audit fix, update vulnerable packages, resolve version conflicts, modify package.json and lock files.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (npm dependency vulnerabilities) and a general action (resolve), but doesn't list specific concrete actions like 'update packages, apply patches, audit fix, modify package.json'. | 2 / 3 |
Completeness | Answers 'what' (resolve npm dependency vulnerabilities) but lacks an explicit 'Use when...' clause specifying when Claude should select this skill. The trigger context is only implied. | 2 / 3 |
Trigger Term Quality | Includes relevant keywords like 'npm', 'dependency', 'vulnerabilities', and 'security scans', but misses common variations users might say such as 'npm audit', 'CVE', 'package vulnerability', 'outdated packages', 'security advisory', or 'dependabot'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'npm', 'dependency vulnerabilities', and 'security scans' creates a clear niche that is unlikely to conflict with other skills. It's specific enough to distinguish from general code fixing or other package manager skills. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, concise skill that establishes a clear workflow for resolving npm vulnerabilities. Its main weakness is that the core 'Fix' step is entirely delegated to external files without any inline examples or concrete fix patterns, making the skill feel incomplete on its own. Adding a brief inline example of a common fix pattern and a feedback loop for failed verification would significantly improve it.
Suggestions
Add at least one concrete inline example of a fix pattern (e.g., adding an npm override or bumping a direct dependency version) so the skill is actionable without needing to read external files.
Add a feedback loop after the Verify step: what to do if type:check, lint, build, or test fails (e.g., check for breaking API changes in the upgraded version, review changelogs).
Clarify what's in the `rules/` directory — list the available rule files so Claude knows what guidance is available beyond the two files in the quick reference table.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. No unnecessary explanations of what npm, CVEs, or security scans are. Every section serves a purpose and the table format for quick reference is token-efficient. | 3 / 3 |
Actionability | The verification step has concrete executable commands, and the assessment/explore steps provide specific actions. However, the fix step delegates entirely to external rules files with no inline examples of actual fix patterns (e.g., how to add an override, how to bump a version). The 'Tips' section gives useful but somewhat generic guidance without concrete code examples. | 2 / 3 |
Workflow Clarity | The four-step workflow (Assess → Explore → Fix → Verify) is clearly sequenced with a verification checkpoint at the end. However, the Fix step is essentially empty ('See rules for specific fix patterns'), and there's no feedback loop for what to do if verification fails — just 'All must pass' without guidance on recovery. | 2 / 3 |
Progressive Disclosure | References to `vuln-direct-deps.md`, `vuln-transitive-deps.md`, and `rules/` directory are present and clearly signaled. However, no bundle files were provided, so we cannot verify these references exist. The quick reference table is well-structured, but the 'See rules for specific fix patterns' in step 3 is vague about what's actually in the rules directory. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- redpanda-data/console
- Commit
02210fa
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.