dependabot-tooling-downgrade
Use a validated tooling downgrade when Dependabot flags an unpatchable transitive vulnerability in build-only dependencies.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.squad/skills/dependabot-tooling-downgrade/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-scoped description that clearly defines a narrow use case with explicit trigger conditions. Its main weakness is that it describes only one action ('tooling downgrade') without elaborating on the concrete steps involved, which limits specificity. However, its strong trigger terms and clear when-clause make it highly effective for skill selection in a large skill library.
Suggestions
Add more specific concrete actions, e.g., 'Pins transitive dependency versions, updates lockfiles, and validates build integrity when Dependabot flags an unpatchable transitive vulnerability in build-only dependencies.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names a specific domain (Dependabot, transitive vulnerabilities, build-only dependencies) and one action ('tooling downgrade'), but doesn't list multiple concrete actions or steps involved in the process. | 2 / 3 |
Completeness | The description answers both 'what' (use a validated tooling downgrade) and 'when' (when Dependabot flags an unpatchable transitive vulnerability in build-only dependencies), with the 'when' clause serving as an explicit trigger condition. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually use: 'Dependabot', 'transitive vulnerability', 'build-only dependencies', 'unpatchable', 'tooling downgrade'. These are terms a developer would naturally mention when facing this specific scenario. | 3 / 3 |
Distinctiveness Conflict Risk | This is a very narrow, well-defined niche — specifically Dependabot + unpatchable transitive vulnerabilities + build-only dependencies. It is highly unlikely to conflict with other skills due to its precise scoping. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill covers a specific, useful scenario with reasonable structure and real-world examples. Its main weaknesses are the lack of executable commands in the workflow (no actual CLI snippets for verifying the dependency chain or performing the downgrade) and the near-duplicate examples that could be consolidated. The anti-patterns section adds good guardrails.
Suggestions
Add a concrete step-by-step workflow with actual CLI commands (e.g., `npm ls <vulnerable-package>`, `npm install <tool>@<version>`, `npm audit`, `npm run package`) rather than describing the process abstractly.
Consolidate the two examples into one, using the revalidation detail as a note or caveat rather than a separate example, to reduce redundancy.
Add an explicit validation checkpoint pattern: 'Only commit the change after both `npm audit` returns 0 vulnerabilities AND the real build/package command succeeds.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but some redundancy between the two examples (they describe essentially the same scenario twice). The patterns section could be slightly tighter, but it doesn't over-explain concepts Claude already knows. | 2 / 3 |
Actionability | Provides concrete package names and version numbers in examples, but lacks executable commands or a copy-paste workflow. The patterns are directional rather than prescriptive—e.g., 'confirm the failing dependency chain' without showing how (which command to run, what output to look for). | 2 / 3 |
Workflow Clarity | The patterns section lists steps in a logical order but lacks explicit validation checkpoints and a feedback loop for error recovery. For a workflow involving dependency changes that could break builds, there should be a clearer sequence with 'validate then proceed' gates rather than just listing principles. | 2 / 3 |
Progressive Disclosure | For a focused, single-purpose skill under 50 lines, the content is well-organized into clear sections (Context, Patterns, Examples, Anti-Patterns) with no need for external references or deeper nesting. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sbroenne/mcp-server-excel
- Commit
468809e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.