codebase-cleanup-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
41
27%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/codebase-cleanup-deps-audit/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (dependency security) and lists several relevant capabilities, but it reads more like a persona prompt ('You are a dependency security expert') than a skill description. It lacks a 'Use when...' clause entirely, uses second-person voice which violates the third-person requirement, and misses common natural trigger terms users would employ when needing this skill.
Suggestions
Add an explicit 'Use when...' clause with trigger scenarios, e.g., 'Use when the user asks about vulnerable dependencies, outdated packages, license compliance, npm audit, CVE checks, or supply chain security.'
Rewrite in third person voice: replace 'You are a dependency security expert' with action-oriented phrasing like 'Scans project dependencies for known vulnerabilities, checks license compliance, identifies outdated packages, and provides remediation strategies.'
Include natural trigger terms users would say, such as specific file types (package.json, requirements.txt, Gemfile.lock), tool names (npm audit, pip-audit, Snyk), and terms like 'CVE', 'security advisory', or 'SBOM'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (dependency security) and some actions (vulnerability scanning, license compliance, supply chain security, analyze dependencies), but uses broad terms rather than listing multiple concrete discrete actions like 'scan lockfiles', 'check CVE databases', 'generate SBOM'. | 2 / 3 |
Completeness | Describes what it does (analyze dependencies for vulnerabilities, licensing issues, etc.) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and the 'when' is entirely absent here, warranting a 1. | 1 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'vulnerability scanning', 'license compliance', 'supply chain security', 'outdated packages', and 'remediation', but misses common user-facing terms like 'npm audit', 'CVE', 'dependabot', 'security advisory', 'package.json', 'lockfile', or specific ecosystem terms users would naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on dependency security is somewhat specific and distinguishes it from general code review or document skills, but could overlap with broader security analysis skills or general code quality tools. The lack of explicit file types or tool names reduces distinctiveness. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level role description than actionable instructions. It lacks concrete commands, tool names (e.g., npm audit, pip-audit, trivy, snyk), executable code examples, and structured workflows with validation checkpoints. Nearly all useful content appears to be deferred to an external playbook, leaving the skill itself too abstract to guide Claude effectively.
Suggestions
Add concrete, executable commands for common ecosystems (e.g., `npm audit --json`, `pip-audit`, `trivy fs .`, `cargo audit`) with example output parsing.
Define a clear numbered workflow with explicit validation checkpoints, e.g., '1. Detect manifest files → 2. Run scan tool → 3. Parse results → 4. Validate fixes don't break tests → 5. Generate report'.
Remove the repeated description paragraph and the 'Context' section, which restate what Claude already knows from the frontmatter.
Include at least one concrete example of expected output format (e.g., a sample vulnerability table or JSON schema) rather than just listing section headings.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill repeats the description in the body ('You are a dependency security expert...') and includes some unnecessary framing ('The user needs comprehensive dependency analysis...'), but is otherwise reasonably concise. The 'Use this skill when' / 'Do not use this skill when' sections add moderate value but border on obvious. | 2 / 3 |
Actionability | The instructions are entirely abstract and vague — 'Inventory direct and transitive dependencies', 'Run vulnerability and license scans' — with no concrete commands, tool names, code snippets, or executable examples. There is nothing copy-paste ready or specific enough for Claude to act on directly. | 1 / 3 |
Workflow Clarity | The steps are listed as bullet points without clear sequencing, no validation checkpoints, and no feedback loops. For a security audit workflow involving potentially destructive upgrades, there are no verification steps beyond a vague 'Verify upgrades in staging before production rollout.' | 1 / 3 |
Progressive Disclosure | There is a reference to `resources/implementation-playbook.md` for detailed tooling, which is good progressive disclosure structure. However, the main content is too thin — it delegates almost all substance to the external file without providing enough actionable content in the skill itself to be useful standalone. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
6a07b83
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.