vulnerability-scanning
Automated security scanning for dependencies, code, containers with Trivy, Snyk, npm audit. Use for CI/CD security gates, pre-deployment audits, compliance requirements, or encountering CVE detection, outdated packages, license compliance, SBOM generation errors.
80
76%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/vulnerability-scanning/skills/vulnerability-scanning/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly communicates its purpose, lists specific tools and actions, and provides explicit trigger scenarios. It uses third person voice appropriately and covers a comprehensive set of natural keywords that users would employ when needing security scanning capabilities. The description is concise yet thorough, making it easy for Claude to distinguish this skill from others.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: security scanning for dependencies, code, containers, and names specific tools (Trivy, Snyk, npm audit). Also mentions concrete use cases like CI/CD security gates, pre-deployment audits, CVE detection, SBOM generation. | 3 / 3 |
Completeness | Clearly answers both 'what' (automated security scanning for dependencies, code, containers with specific tools) and 'when' (CI/CD security gates, pre-deployment audits, compliance requirements, CVE detection, outdated packages, license compliance, SBOM generation errors) with explicit trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'security scanning', 'dependencies', 'containers', 'Trivy', 'Snyk', 'npm audit', 'CI/CD', 'CVE', 'outdated packages', 'license compliance', 'SBOM'. These are terms a user would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in security scanning. The specific tool names (Trivy, Snyk, npm audit) and domain-specific terms (CVE, SBOM, license compliance) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
52%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides good actionable code examples across multiple security scanning tools, making it easy to copy-paste commands and CI/CD configurations. However, it lacks a coherent workflow that sequences scanning steps with validation checkpoints and remediation guidance, and includes some redundant content (tools list, generic best practices). It reads more like a reference card of tool invocations than a guided process for conducting vulnerability scanning.
Suggestions
Add a sequenced workflow section (e.g., '1. Scan dependencies → 2. Review findings → 3. Triage/fix critical → 4. Re-scan to verify → 5. Document accepted risks') with explicit validation checkpoints and error recovery guidance.
Remove the redundant 'Tools' bullet list since every tool is already demonstrated in code examples above it.
Replace the generic 'Best Practices' section with specific, actionable guidance such as how to handle false positives (e.g., Trivy's .trivyignore file, Snyk's snyk ignore command) and how to interpret scan output.
Add brief guidance on what to do when scans fail: how to read the output, prioritize fixes, and re-run to verify remediation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient with executable examples, but the 'Best Practices' section is generic advice Claude already knows, and the 'Tools' list at the end is redundant since all tools are already demonstrated in the code examples above. | 2 / 3 |
Actionability | Provides fully executable, copy-paste ready commands and code across multiple tools (npm audit, Snyk, Trivy, Bandit) plus a complete GitHub Actions workflow and a Node.js scanner script. Very concrete and specific. | 3 / 3 |
Workflow Clarity | There is no sequenced workflow for how to conduct a security scan end-to-end. The content is a collection of independent tool snippets with no guidance on what to do when vulnerabilities are found (beyond exit codes), no validation/remediation feedback loops, and no clear ordering of steps for a security audit process. | 1 / 3 |
Progressive Disclosure | Content is organized into clear sections by tool/context which aids scanning, but everything is inline in one file with no references to deeper documentation. The GitHub Actions workflow is quite long and could be referenced separately, and there's no navigation to tool-specific guides for advanced configuration. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
- Repository
- secondsky/claude-skills
- Commit
88da5ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.