codebase-cleanup-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
28
20%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/codebase-cleanup-deps-audit/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (dependency security) and lists several relevant capability areas, but it reads more like a role description than a skill selection guide. It uses second-person framing ('You are...') which is inappropriate for a skill description, lacks a 'Use when...' clause, and doesn't provide enough concrete actions or natural trigger terms to reliably distinguish it from other security-related skills.
Suggestions
Add an explicit 'Use when...' clause with natural trigger terms like 'check dependencies for vulnerabilities', 'npm audit', 'license check', 'CVE', 'outdated packages', 'SBOM', 'dependency review'.
Replace the role-play framing ('You are a dependency security expert') with third-person action statements like 'Scans project dependencies for known CVEs, checks license compliance, identifies outdated packages, and provides upgrade/remediation strategies'.
Include specific file/tool references users might mention, such as 'package.json', 'requirements.txt', 'Cargo.toml', 'go.mod', 'dependabot', or 'snyk' to improve trigger term coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (dependency security) and some actions (vulnerability scanning, license compliance, supply chain security, analyze dependencies), but these are more like category labels than concrete specific actions. It lacks granular actions like 'check CVE databases', 'generate SBOM', or 'upgrade outdated packages'. | 2 / 3 |
Completeness | Describes what it does (analyze dependencies for vulnerabilities, licensing issues, etc.) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' portion is also somewhat vague, placing this at 1. | 1 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'vulnerability scanning', 'license compliance', 'supply chain security', 'outdated packages', and 'remediation'. However, it misses common user-facing terms like 'npm audit', 'CVE', 'dependabot', 'security advisory', 'package.json', 'requirements.txt', or specific tool names users might reference. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on dependency security is a reasonably specific niche, but terms like 'vulnerability scanning' and 'supply chain security' could overlap with general security analysis or code review skills. Without explicit trigger conditions, the boundaries are unclear. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level description of what a dependency audit involves, rather than actionable instructions for performing one. It lacks concrete tools, commands, code examples, and validation steps. The content reads more like a role description than a skill that would enable Claude to execute a specific workflow.
Suggestions
Add concrete, executable commands for specific tools (e.g., `npm audit`, `pip-audit`, `trivy fs .`, `license-checker`) with example output parsing.
Define a clear multi-step workflow with validation checkpoints, e.g.: 1. Detect package manager → 2. Run specific scan command → 3. Parse results → 4. Validate proposed upgrades don't break compatibility → 5. Generate report.
Remove sections that restate Claude's existing knowledge (the 'Context' paragraph, 'Use this skill when' obvious triggers, generic 'Limitations' boilerplate) to improve token efficiency.
Include a concrete example of expected output format (e.g., a sample vulnerability table or remediation plan) so the output is specific rather than a list of section headings.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and padded with information Claude already knows. It repeats the description in the body, includes unnecessary 'Context' and 'Use this skill when/Do not use this skill when' sections that explain obvious things, and the 'Limitations' section restates generic best practices Claude already follows. | 1 / 3 |
Actionability | The skill provides only vague, abstract direction ('Run vulnerability and license scans', 'Inventory direct and transitive dependencies') with no concrete commands, tools, code examples, or specific scanning procedures. There is nothing executable or copy-paste ready. | 1 / 3 |
Workflow Clarity | The instructions list high-level steps without clear sequencing, validation checkpoints, or feedback loops. For a security audit workflow involving potentially destructive upgrades, there are no verification steps, no error recovery guidance, and no concrete process to follow. | 1 / 3 |
Progressive Disclosure | The skill references `resources/implementation-playbook.md` for detailed tooling and templates, which is a reasonable one-level-deep reference. However, no bundle files are provided, so the reference is unverifiable, and the main content itself is too thin to serve as a useful overview. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
f5dc9e3
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.