vulnerability-scanning

Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.

Quality

76%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Fix and improve this skill with Tessl

tessl review fix ./plugins/vulnerability-scanning/skills/vulnerability-scanning/SKILL.md

Quality

Content

52%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides strong, actionable code examples across multiple scanning tools and languages, making it immediately useful. However, it reads more like a reference catalog of scanning commands than a coherent workflow — there's no guidance on how to sequence scans, handle results, or iterate on fixes. The best practices and tools list sections add little value given Claude's existing knowledge.

Suggestions

Add a workflow section that sequences the scanning steps (e.g., 1. Run dependency scan → 2. Review findings → 3. Fix or document exceptions → 4. Re-scan to verify → 5. Proceed with deployment), with explicit validation checkpoints.

Remove or significantly trim the 'Best Practices' and 'Tools' sections — the practices are generic and the tools are already demonstrated in the code examples.

Add guidance on interpreting scan output and triaging results (e.g., how to handle false positives, when to accept risk, how to document exceptions), which is the non-obvious knowledge Claude would benefit from.

Dimension	Reasoning	Score
Conciseness	Mostly efficient with concrete code examples, but the 'Best Practices' section is generic advice Claude already knows, and the 'Tools' list at the end is redundant since all tools are already demonstrated in the code examples above.	2 / 3
Actionability	Provides fully executable, copy-paste ready code across multiple languages and tools — bash commands, a complete GitHub Actions workflow YAML, a Node.js scanner script, and Python scanning commands. All examples are concrete and specific.	3 / 3
Workflow Clarity	The skill presents a collection of independent scanning tools but lacks any sequenced workflow for how to combine them, no validation/feedback loops for handling scan results (e.g., what to do when vulnerabilities are found, how to triage, how to re-scan after fixes), and no guidance on ordering or prioritization. For security scanning — which can involve destructive decisions like blocking deployments — this is a significant gap.	1 / 3
Progressive Disclosure	Content is organized into clear sections with headers, but the GitHub Actions YAML is quite long and could be referenced externally. There are no references to supplementary files for advanced topics like SBOM generation, license compliance, or false positive management mentioned in the description. For a standalone file it's reasonably structured but could benefit from splitting.	2 / 3
	Total	8 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly communicates its purpose, lists specific tools and actions, and provides explicit trigger guidance. It uses third person voice appropriately and covers a comprehensive set of natural keywords that users would employ when seeking security scanning help. The description is concise yet thorough, making it easy for Claude to select this skill in the right context.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: security scanning for dependencies, code, containers, and names specific tools (Trivy, Snyk, npm audit). Also mentions concrete use cases like CI/CD security gates, pre-deployment audits, CVE detection, SBOM generation.	3 / 3
Completeness	Clearly answers both what (automated security scanning for dependencies, code, containers with specific tools) and when ('Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors').	3 / 3
Trigger Term Quality	Excellent coverage of natural terms users would say: 'security scanning', 'dependencies', 'containers', 'Trivy', 'Snyk', 'npm audit', 'CI/CD', 'CVE', 'outdated packages', 'license compliance', 'SBOM'. These are terms a user would naturally use when needing this skill.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche in security scanning. The specific tool names (Trivy, Snyk, npm audit) and domain-specific terms (CVE, SBOM, license compliance) make it very unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
metadata_version	'metadata.version' is missing	Warning

	Total	10 / 11 Passed

Repository: secondsky/claude-skills
Commit: 5e92b71

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.