codebase-cleanup-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues,...
Install with Tessl CLI
npx tessl i github:sickn33/antigravity-awesome-skills --skill codebase-cleanup-deps-audit57
Quality
37%
Does it follow best practices?
Impact
94%
0.98xAverage score across 3 eval scenarios
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/codebase-cleanup-deps-audit/SKILL.mdDiscovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description establishes a clear domain (dependency security) but suffers from truncation and lacks explicit trigger guidance. The 'what' is partially addressed but the 'when' is entirely missing, making it difficult for Claude to know when to select this skill over others. The use of second person ('You are') violates the third-person voice requirement.
Suggestions
Add an explicit 'Use when...' clause with trigger terms like 'dependency audit', 'CVE check', 'npm/pip/cargo vulnerabilities', 'outdated packages', or 'license scan'
Complete the truncated description and list specific concrete actions like 'scan package.json for CVEs', 'check SBOM compliance', 'identify outdated dependencies'
Rewrite in third person voice (e.g., 'Analyzes project dependencies...') instead of second person ('You are...')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (dependency security) and lists some actions (vulnerability scanning, license compliance, supply chain security), but the description is truncated with '...' and doesn't provide comprehensive concrete actions like specific tools or outputs. | 2 / 3 |
Completeness | The description addresses 'what' (analyze dependencies for vulnerabilities and licensing) but completely lacks a 'Use when...' clause or any explicit trigger guidance. The truncation ('...') also suggests incomplete information. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'vulnerability scanning', 'license compliance', 'supply chain security', and 'dependencies', but misses common user variations like 'CVE', 'npm audit', 'outdated packages', 'security audit', or specific package manager names. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'dependency security' and 'supply chain security' provides some distinction, but terms like 'vulnerability scanning' and 'license compliance' could overlap with general security or legal compliance skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable high-level structure for dependency auditing but lacks the concrete, executable guidance that would make it actionable. The instructions describe what to do without specifying how (no tool names, commands, or code examples). The progressive disclosure is well-handled with a clear reference to detailed resources.
Suggestions
Add specific tool commands for vulnerability scanning (e.g., `npm audit`, `pip-audit`, `trivy fs .`) with example output interpretation
Include concrete code or CLI examples for license checking (e.g., `license-checker --json`, `pip-licenses`)
Add validation checkpoints in the workflow (e.g., 'Run `npm audit --json` and verify no critical vulnerabilities before proceeding')
Replace abstract instructions like 'Inventory direct and transitive dependencies' with executable commands (e.g., `npm ls --all --json > deps.json`)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary framing ('You are a dependency security expert...') and the 'Context' section restates what's already clear from the title and description. | 2 / 3 |
Actionability | The instructions are vague and abstract ('Inventory direct and transitive dependencies', 'Run vulnerability and license scans') with no concrete commands, tools, or executable code examples. Claude is told what to do conceptually but not how to do it. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence but lack validation checkpoints, specific tool commands, and feedback loops for error recovery. The workflow is conceptual rather than operational. | 2 / 3 |
Progressive Disclosure | The skill appropriately keeps the overview concise and references a single external resource (implementation-playbook.md) for detailed tooling and templates, with clear signaling. | 3 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.