CtrlK
BlogDocsLog inGet started
Tessl Logo

sbom-analyzer

Software Bill of Materials (SBOM) security analysis for vulnerability assessment and third-party risk management. Validates SBOMs from vendors or generates SBOMs for internal projects. Use this skill when: - User asks to analyze an SBOM file - User mentions "third-party risk" or "vendor security" - User needs to validate a supplier's SBOM - User wants to check SBOM for vulnerabilities - User asks about CycloneDX or SPDX formats

72

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is highly actionable with executable tool calls, clear sequenced phases, and validation plus error-handling feedback loops. Its main weakness is progressive disclosure: a format-reference bundle file exists but is never linked from the body, leaving inlined detail that could be externalized.

Suggestions

Link to the existing bundle: in the 'Supported SBOM Formats' section add a pointer such as 'See [references/sbom-formats.md](references/sbom-formats.md) for full format schemas and key-field tables' and trim the inlined format-detail blocks accordingly.

Reduce token weight in Phase 3 by collapsing the fully populated example report into a terse schema/template with field definitions, keeping it actionable without a long worked sample.

Treat the vendor communication template as a candidate for the references bundle (e.g. references/vendor-outreach-template.md) and reference it one level deep, keeping the body focused on the scan-and-analyze workflow.

DimensionReasoningScore

Conciseness

The body is mostly efficient and avoids explaining concepts Claude already knows, but some sections are padded — the fully worked example tables in Phase 3 and the verbatim vendor email template add tokens that are illustrative rather than strictly necessary. Not a level 3 'every token earns its place', but tighter than the level-1 verbose anchor.

2 / 3

Actionability

Provides concrete, executable tool calls like 'mcp_snyk_snyk_sbom_scan(file="path/to/sbom.json", severity_threshold="medium")' and runnable CLI commands (snyk sbom --format=cyclonedx1.5+json), plus copy-paste report templates — fully executable guidance.

3 / 3

Workflow Clarity

A clear five-step Quick Start sequence plus phased steps (validation → scan → analysis → remediation) with explicit validation in Phase 1 and a dedicated Error Handling section providing fix-and-retry feedback loops, matching the top anchor.

3 / 3

Progressive Disclosure

A references/sbom-formats.md file exists and is real, but the SKILL.md body never signals or links to it (no 'See references/sbom-formats.md'), so the detailed format examples are inlined in the body rather than split out. Structure is present and one-level-deep but not clearly signaled, fitting the mid anchor.

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, third-person, and supplies an explicit 'Use this skill when' trigger list with natural user phrasings, fully addressing what and when. It occupies a clear niche unlikely to conflict with other skills.

DimensionReasoningScore

Specificity

Lists multiple concrete actions: 'vulnerability assessment', 'third-party risk management', 'Validates SBOMs from vendors', 'generates SBOMs for internal projects', matching the top anchor for naming specific concrete actions.

3 / 3

Completeness

Explicitly answers 'what' (vulnerability assessment and risk management; validates/generates SBOMs) and 'when' via an explicit 'Use this skill when:' clause with five bullet triggers, satisfying the top anchor.

3 / 3

Trigger Term Quality

Covers natural terms users would say including 'SBOM file', 'third-party risk', 'vendor security', 'check SBOM for vulnerabilities', 'CycloneDX or SPDX formats' — good coverage of phrasings a user would naturally invoke.

3 / 3

Distinctiveness Conflict Risk

The SBOM/vulnerability/CycloneDX/SPDX niche with distinct triggers is clearly separated from general security or file skills, making mis-triggering unlikely.

3 / 3

Total

12

/

12

Passed

Validation

100%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation16 / 16 Passed

Validation for skill structure

No warnings or errors.

Repository
snyk/studio-recipes
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.