vulnerability-scanning
tessl i github:secondsky/claude-skills --skill vulnerability-scanningAutomated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.
Validation
75%| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 12 / 16 Passed | |
Implementation
80%This is a solid, actionable skill that efficiently covers multiple vulnerability scanning tools with executable examples. Its main weakness is the lack of a cohesive workflow showing how to sequence scans, interpret results, and handle remediation. The content would benefit from clearer guidance on what to do when vulnerabilities are found.
Suggestions
Add a workflow section showing the recommended sequence: scan dependencies → scan containers → review results → remediate or document exceptions
Include guidance on interpreting scan output and deciding whether to fix, upgrade, or accept risk for findings
Consider splitting tool-specific advanced configurations into separate reference files (e.g., TRIVY.md, SNYK.md)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, providing direct commands and code without explaining what vulnerability scanning is or how these tools work internally. Every section delivers actionable content without padding. | 3 / 3 |
Actionability | Provides fully executable commands, complete GitHub Actions workflow YAML, and working code examples. All snippets are copy-paste ready with real flags and options. | 3 / 3 |
Workflow Clarity | While individual commands are clear, there's no explicit workflow sequence for a complete security audit process. Missing validation checkpoints and error recovery guidance for when scans find vulnerabilities beyond just failing the build. | 2 / 3 |
Progressive Disclosure | Content is well-organized into logical sections, but everything is inline in one file. For a skill covering multiple tools (Trivy, Snyk, Bandit, npm audit), separate reference files for each tool's advanced options would improve navigation. | 2 / 3 |
Total | 10 / 12 Passed |
Activation
100%This is a strong skill description that clearly defines its security scanning purpose, lists specific tools and capabilities, and provides explicit trigger conditions. It uses appropriate third-person voice and includes both technical tool names and natural language terms users would employ when seeking security scanning help.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'security scanning for dependencies, code, containers' with named tools (Trivy, Snyk, npm audit) and specific use cases (CI/CD security gates, pre-deployment audits, CVE detection, SBOM generation). | 3 / 3 |
Completeness | Clearly answers both what (automated security scanning with specific tools) AND when ('Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security scanning', 'dependencies', 'containers', 'Trivy', 'Snyk', 'npm audit', 'CI/CD', 'CVE', 'outdated packages', 'license compliance', 'SBOM' - these are terms developers naturally use when dealing with security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on security scanning with distinct triggers (Trivy, Snyk, CVE, SBOM, npm audit) that are unlikely to conflict with general coding or deployment skills. | 3 / 3 |
Total | 12 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.