ai-inventory
Generate and analyze AI Bill of Materials (AIBOM) for Python projects using AI/ML components. Identifies AI models, datasets, tools, and frameworks for security and compliance tracking. Use this skill when: - User asks to scan for AI components - User wants to know what AI models a project uses - User mentions "AI BOM", "AI inventory", or "ML security" - User is working with Python AI/ML projects (PyTorch, TensorFlow, HuggingFace) - User needs AI component compliance documentation
56
63%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./command_directives/synchronous_remediation/skills/ai-inventory/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific capabilities, comprehensive trigger terms including both natural language phrases and technical terms, explicit 'Use when' guidance with multiple scenarios, and occupies a clearly distinct niche. The description uses proper third-person voice and is concise without unnecessary padding.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: 'Generate and analyze AI Bill of Materials', 'Identifies AI models, datasets, tools, and frameworks', and specifies the purpose 'security and compliance tracking'. These are specific, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (generate/analyze AIBOMs, identify AI models/datasets/tools/frameworks for security and compliance) and 'when' with an explicit 'Use this skill when:' clause listing five specific trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'AI BOM', 'AI inventory', 'ML security', 'scan for AI components', 'AI models', 'Python AI/ML projects', and specific framework names like 'PyTorch, TensorFlow, HuggingFace'. These are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: AI Bill of Materials for Python projects is a very specific domain. The combination of AIBOM generation, AI component scanning, and ML security compliance is unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill wraps a single MCP tool call (`mcp_snyk_snyk_aibom`) but inflates it into a lengthy five-phase process with extensive report templates, risk frameworks, and compliance checklists that Claude already knows how to produce. The core actionable content (call the tool, validate output, summarize) could be conveyed in under 30 lines. The monolithic structure with no supporting bundle files wastes context window on template boilerplate and domain knowledge Claude already possesses.
Suggestions
Drastically reduce content to focus on what Claude doesn't know: the MCP tool name, its parameters, expected output format, and key error conditions. Remove the risk assessment frameworks, compliance templates, and AI/ML concept explanations.
Extract the report templates (Phase 3 summary, Phase 5 compliance report) into separate bundle files like TEMPLATES.md, referenced from the main skill only when needed.
Remove the enumeration of AI/ML packages (torch, tensorflow, etc.) and explanations of prompt injection, model extraction, and bias — Claude already knows these concepts.
Add concrete guidance on parsing the CycloneDX JSON output (e.g., key field paths like `components[].type`, `components[].licenses`) to make the analysis phase truly actionable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is very verbose for what amounts to a single MCP tool call. Phases 4 and 5 contain extensive template content (risk assessment frameworks, compliance report templates, EU AI Act checklists) that Claude already knows how to generate. The AI/ML package list in Step 1.2, explanations of prompt injection, model extraction, and bias concepts are all things Claude inherently understands. Much of this could be reduced to a fraction of its current size. | 1 / 3 |
Actionability | The core action is clear — call `mcp_snyk_snyk_aibom` with a path — but most of the skill is report templates and risk assessment guidance that are descriptive rather than executable. The validation steps (1.1, 1.2) lack concrete commands for checking project indicators. The report templates are fill-in-the-blank rather than showing how to extract data from the AIBOM JSON output. | 2 / 3 |
Workflow Clarity | The five-phase structure provides clear sequencing, and Step 2.2 includes a validation checkpoint before proceeding. However, there are no feedback loops for error recovery beyond 'report the error and do not continue.' The validation in Phase 1 lacks concrete verification steps, and there's no guidance on what to do if the AIBOM output is partial or incomplete. | 2 / 3 |
Progressive Disclosure | All content is monolithically inlined in a single file with no bundle files. The compliance report templates, risk assessment frameworks, and use case descriptions could easily be split into separate reference files. The result is a very long skill file that forces Claude to load extensive template content for every invocation, even when only the quick start is needed. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- snyk/studio-recipes
- Commit
786986d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.