codebase-cleanup-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
41
27%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/codebase-cleanup-deps-audit/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description reads more like a system prompt persona instruction ('You are a dependency security expert') than a skill description, which undermines its effectiveness for skill selection. It covers the domain reasonably well but lacks explicit trigger guidance ('Use when...'), concrete specific actions, and natural user-facing keywords. The first/second person framing and absence of when-to-use criteria are its biggest weaknesses.
Suggestions
Rewrite in third person descriptive voice (e.g., 'Analyzes project dependencies for known vulnerabilities...') instead of the persona-style 'You are a dependency security expert'.
Add an explicit 'Use when...' clause with natural trigger terms like 'Use when the user asks about dependency vulnerabilities, npm audit, CVEs, license checks, outdated packages, supply chain security, or SBOM generation'.
Include more concrete actions such as 'scan lock files for CVEs, check license compatibility, identify outdated dependencies, generate remediation PRs' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (dependency security) and some actions (vulnerability scanning, license compliance, supply chain security, analyze dependencies), but the actions are somewhat high-level and not as concrete as listing specific operations like 'generate SBOM, check CVE databases, audit lock files'. | 2 / 3 |
Completeness | Describes what the skill does but has no explicit 'Use when...' clause or equivalent trigger guidance. Per the rubric, a missing 'Use when...' clause should cap completeness at 2, and since the 'when' is entirely absent (not even implied well), this scores a 1. Additionally, the description uses second person voice ('You are') which is a persona instruction rather than a skill description. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'vulnerability scanning', 'license compliance', 'supply chain security', 'outdated packages', and 'remediation', but misses common user-facing terms like 'npm audit', 'dependabot', 'CVE', 'security audit', 'package.json', 'lock file', or 'SBOM' that users would naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on dependency security is somewhat specific, but terms like 'vulnerability scanning' and 'outdated packages' could overlap with general security scanning skills or package management skills. The niche is identifiable but not sharply delineated. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level outline with no concrete, executable guidance. It lacks specific tool commands (e.g., `npm audit`, `pip-audit`, `trivy`), code examples, or structured workflows with validation steps. The content reads more like a role description than an actionable skill, delegating all substance to an external playbook without providing enough standalone value.
Suggestions
Add concrete, executable commands for common ecosystems (e.g., `npm audit --json`, `pip-audit`, `trivy fs .`, `license-checker`) with example output parsing.
Define a clear multi-step workflow with explicit validation checkpoints, e.g.: 1. Detect manifest files → 2. Run scan tool → 3. Parse results → 4. Validate proposed upgrades don't break tests → 5. Generate report.
Remove the repeated description, 'Use this skill when'/'Do not use this skill when' meta-routing sections, and the 'Context' paragraph to reduce verbosity and focus on actionable content.
Include at least one concrete example showing input (e.g., a package.json snippet) and expected output (e.g., a vulnerability report format) so Claude knows exactly what to produce.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill repeats the description in the body ('You are a dependency security expert...'), includes 'Use this skill when' / 'Do not use this skill when' sections that are meta-routing rather than actionable content, and the 'Context' section restates what's already obvious. Some sections earn their place but there's notable padding. | 2 / 3 |
Actionability | The instructions are entirely abstract ('Inventory direct and transitive dependencies', 'Run vulnerability and license scans') with no concrete commands, tool names, code snippets, or executable examples. There's nothing copy-paste ready or specific enough for Claude to act on directly. | 1 / 3 |
Workflow Clarity | The instructions list high-level steps without clear sequencing, no validation checkpoints, and no feedback loops. For a security audit workflow involving potentially destructive upgrades, there are no verification steps beyond a vague 'Verify upgrades in staging before production rollout.' | 1 / 3 |
Progressive Disclosure | There is a reference to 'resources/implementation-playbook.md' for detailed tooling, which is good one-level-deep disclosure. However, the main content is too thin to serve as a useful overview—it delegates almost all substance to the external file without providing enough actionable content in the skill itself. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- sickn33/antigravity-awesome-skills
- Commit
93c57b2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.