vulnerability-scanning
Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.
64
76%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/vulnerability-scanning/skills/vulnerability-scanning/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly communicates its purpose, lists specific tools and actions, and provides explicit trigger guidance. It uses third person voice appropriately and covers a comprehensive set of natural keywords that users would employ when seeking security scanning help. The description is concise yet thorough, making it easy for Claude to select this skill in the right context.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: security scanning for dependencies, code, containers, and names specific tools (Trivy, Snyk, npm audit). Also mentions concrete use cases like CI/CD security gates, pre-deployment audits, CVE detection, SBOM generation. | 3 / 3 |
Completeness | Clearly answers both what (automated security scanning for dependencies, code, containers with specific tools) and when ('Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security scanning', 'dependencies', 'containers', 'Trivy', 'Snyk', 'npm audit', 'CI/CD', 'CVE', 'outdated packages', 'license compliance', 'SBOM'. These are terms a user would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in security scanning. The specific tool names (Trivy, Snyk, npm audit) and domain-specific terms (CVE, SBOM, license compliance) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
52%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides strong, actionable code examples across multiple scanning tools and languages, making it immediately useful. However, it reads more like a reference catalog of scanning commands than a coherent workflow — there's no guidance on how to sequence scans, handle results, or iterate on fixes. The best practices and tools list sections add little value given Claude's existing knowledge.
Suggestions
Add a workflow section that sequences the scanning steps (e.g., 1. Run dependency scan → 2. Review findings → 3. Fix or document exceptions → 4. Re-scan to verify → 5. Proceed with deployment), with explicit validation checkpoints.
Remove or significantly trim the 'Best Practices' and 'Tools' sections — the practices are generic and the tools are already demonstrated in the code examples.
Add guidance on interpreting scan output and triaging results (e.g., how to handle false positives, when to accept risk, how to document exceptions), which is the non-obvious knowledge Claude would benefit from.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient with concrete code examples, but the 'Best Practices' section is generic advice Claude already knows, and the 'Tools' list at the end is redundant since all tools are already demonstrated in the code examples above. | 2 / 3 |
Actionability | Provides fully executable, copy-paste ready code across multiple languages and tools — bash commands, a complete GitHub Actions workflow YAML, a Node.js scanner script, and Python scanning commands. All examples are concrete and specific. | 3 / 3 |
Workflow Clarity | The skill presents a collection of independent scanning tools but lacks any sequenced workflow for how to combine them, no validation/feedback loops for handling scan results (e.g., what to do when vulnerabilities are found, how to triage, how to re-scan after fixes), and no guidance on ordering or prioritization. For security scanning — which can involve destructive decisions like blocking deployments — this is a significant gap. | 1 / 3 |
Progressive Disclosure | Content is organized into clear sections with headers, but the GitHub Actions YAML is quite long and could be referenced externally. There are no references to supplementary files for advanced topics like SBOM generation, license compliance, or false positive management mentioned in the description. For a standalone file it's reasonably structured but could benefit from splitting. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
- Repository
- secondsky/claude-skills
- Commit
5e92b71
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.