snyk-fix
Complete security remediation workflow. Scans code for vulnerabilities using Snyk, fixes them, validates the fix, and optionally creates a PR. Supports both single-issue and batch mode for multiple vulnerabilities. Use this skill when: - User asks to fix security vulnerabilities - User mentions "snyk fix", "security fix", or "remediate vulnerabilities" - User wants to fix a specific CVE, Snyk ID, or vulnerability type (XSS, SQL injection, path traversal, etc.) - User wants to upgrade a vulnerable dependency - User asks to "fix all" vulnerabilities or "fix all high/critical" issues (batch mode)
64
77%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./command_directives/synchronous_remediation/skills/snyk-fix/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates what the skill does (scan, fix, validate, PR creation for security vulnerabilities via Snyk) and when to use it with a comprehensive list of trigger scenarios. The description is well-structured, uses third-person voice, includes natural user language, and occupies a distinct niche that minimizes conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: scans code for vulnerabilities using Snyk, fixes them, validates the fix, creates a PR. Also specifies single-issue and batch mode capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (scans, fixes, validates, creates PR, supports single and batch mode) and 'when' with an explicit 'Use this skill when:' clause listing five specific trigger scenarios. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'fix security vulnerabilities', 'snyk fix', 'security fix', 'remediate vulnerabilities', 'CVE', 'Snyk ID', 'XSS', 'SQL injection', 'path traversal', 'upgrade a vulnerable dependency', 'fix all', 'fix all high/critical'. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Snyk-based security vulnerability remediation with distinct triggers like 'snyk fix', 'CVE', 'Snyk ID', and specific vulnerability types. Unlikely to conflict with general code review or non-security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
55%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is highly actionable and has excellent workflow clarity with well-defined phases, validation checkpoints, and error recovery paths. However, it is severely over-long and monolithic — it tries to encode an entire complex remediation framework in a single file without any progressive disclosure or content splitting. The verbosity significantly undermines its effectiveness as a context-window-consuming skill, explaining concepts Claude already knows and providing exhaustive decision trees that could be condensed.
Suggestions
Split content into multiple files: move SCA remediation strategies (Phase 4 + 4a) into a separate SCA_REMEDIATION.md, batch mode details into BATCH_MODE.md, and output templates into TEMPLATES.md, keeping SKILL.md as a concise overview with phase summaries and references.
Remove explanations of concepts Claude already knows — e.g., don't list common vulnerability types (SQL injection, XSS, path traversal) with their fix patterns; Claude knows these. Instead, just say 'Apply standard remediation for the vulnerability type.'
Condense the breakability decision trees into a single compact table rather than repeating similar logic for Strategy A/B and Strategy C separately with nearly identical thresholds.
Remove the 'common install/resolve commands' reference table — Claude knows package manager commands. Replace with a single line: 'Run the ecosystem-appropriate install/resolve command.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | This skill is extremely verbose at ~400+ lines. It over-specifies decision trees, fallback logic, and edge cases that Claude could infer. Many sections (e.g., explaining what SQL injection or XSS are, listing common install commands Claude already knows, the full advisory template) add significant token overhead. The semver analysis table, breakability decision trees, and multiple output format templates could be drastically condensed. | 1 / 3 |
Actionability | The skill provides highly concrete, executable guidance throughout: specific MCP tool calls with parameters, exact git commands, specific decision trees with clear conditions and actions, output format templates, and precise error handling tables. Every phase has actionable steps rather than vague descriptions. | 3 / 3 |
Workflow Clarity | The multi-step workflow is exceptionally well-sequenced with 7 clear phases, explicit validation checkpoints (Phase 5 re-scan, test running, linting), feedback loops (max 3 attempts per instance, revert triggers), and clear stop conditions. The batch mode planning step requires user confirmation before proceeding, and rollback triggers are explicitly defined for destructive operations. | 3 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with no references to supporting files. Given the complexity and length (~400+ lines covering single mode, batch mode, SCA strategies, code vuln patterns, advisory templates, error handling), this content desperately needs to be split into separate files (e.g., SCA remediation strategies, advisory templates, error handling reference). No bundle files are provided to offload any of this content. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (532 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- snyk/studio-recipes
- Commit
786986d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.