codebase-cleanup-deps-audit
tessl i github:sickn33/antigravity-awesome-skills --skill codebase-cleanup-deps-auditYou are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
Activation
33%The description identifies a clear domain (dependency security) and lists relevant capabilities, but suffers from two major issues: it uses first-person framing ('You are a...') which violates the third-person voice requirement, and it completely lacks explicit trigger guidance for when Claude should select this skill. The description reads more like a system prompt than a skill selector.
Suggestions
Add an explicit 'Use when...' clause with trigger terms like 'dependency vulnerabilities', 'npm audit', 'security scan', 'outdated packages', 'CVE', or 'license check'.
Rewrite in third person voice (e.g., 'Analyzes project dependencies for known vulnerabilities...') instead of the current 'You are...' framing.
Include specific package manager keywords users would mention: npm, pip, maven, yarn, cargo, package.json, requirements.txt.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (dependency security) and lists several actions (vulnerability scanning, license compliance, supply chain security, analyze dependencies), but uses somewhat abstract language like 'actionable remediation strategies' rather than concrete specific actions like 'generate upgrade commands' or 'create security reports'. | 2 / 3 |
Completeness | Describes what the skill does but completely lacks a 'Use when...' clause or any explicit trigger guidance. There is no indication of when Claude should select this skill over others. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'vulnerability scanning', 'license compliance', 'outdated packages', and 'dependencies', but misses common user phrases like 'npm audit', 'security scan', 'CVE', 'package vulnerabilities', or specific package manager names users would naturally mention. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on dependency security and supply chain is somewhat specific, but terms like 'analyze project' and 'provide actionable remediation' could overlap with general code review or security audit skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
35%This skill provides a reasonable structure and appropriate scoping for dependency security analysis, but critically lacks actionable, executable guidance. The instructions read as abstract task descriptions rather than concrete steps Claude can follow. The skill would benefit significantly from specific tool commands (npm audit, pip-audit, etc.), example outputs, and integrated validation checkpoints.
Suggestions
Add concrete, executable commands for common package managers (e.g., `npm audit --json`, `pip-audit`, `cargo audit`) with example output parsing
Include a specific example showing input (dependency manifest) and expected output format with actual vulnerability data
Integrate validation checkpoints into the workflow, such as 'Run `npm audit` and verify output before proceeding to upgrades'
Remove or condense the 'Use this skill when' / 'Do not use this skill when' sections as Claude can infer appropriate usage from the skill description
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill has some unnecessary sections like 'Context' that restate the description, and the 'Use this skill when' / 'Do not use this skill when' sections add moderate overhead. However, it's not excessively verbose. | 2 / 3 |
Actionability | The instructions are vague and abstract ('Inventory direct and transitive dependencies', 'Run vulnerability and license scans') without any concrete commands, tools, or executable code. No specific scanner commands, no example outputs, no actual tooling guidance. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence but lack validation checkpoints, specific tool commands, and feedback loops. The 'Verify upgrades in staging' safety note is good but not integrated into a clear workflow with explicit validation steps. | 2 / 3 |
Progressive Disclosure | References the implementation playbook appropriately for detailed workflows, but the main skill content is thin and delegates too much to the external resource without providing enough actionable content in the skill itself. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
69%| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_examples | No examples detected (no code fences and no 'Example' wording) | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 11 / 16 Passed | |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.