arvindand/maven-tools
skills/maven-tools/SKILL.md
JVM dependency intelligence via Maven Tools MCP server. Use when the user asks about Maven or Gradle dependencies, JVM library versions, safe upgrades, CVEs, license risks, release history, or project dependency health. Use when reviewing `pom.xml`, `build.gradle`, `build.gradle.kts`, or Maven coordinates. Use when the user says 'check my dependencies', 'should I upgrade X', or 'is this version safe'. Use even when the user just pastes a `groupId:artifactId` coordinate without a verb.
$ install --global
skillsauthnpx skillsauth add arvindand/agent-skills maven-toolsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 3:36 AM135.3s1 file scanned
SKILL.md
- name:
- maven-tools
- description:
- JVM dependency intelligence via Maven Tools MCP server. Use when the user asks about Maven or Gradle dependencies, JVM library versions, safe upgrades, CVEs, license risks, release history, or project dependency health. Use when reviewing `pom.xml`, `build.gradle`, `build.gradle.kts`, or Maven coordinates. Use when the user says 'check my dependencies', 'should I upgrade X', or 'is this version safe'. Use even when the user just pastes a `groupId:artifactId` coordinate without a verb.
- allowed-tools:
- mcp__maven-tools__* mcp__context7__* WebSearch WebFetch
Maven Tools
Use this skill to ground JVM dependency decisions in live Maven Central data.
This is an execution skill. Use Maven Tools MCP first for dependency facts, then do the reasoning in-model. Assume Maven Tools MCP is already configured; only discuss setup if the tools are unavailable.
When to Use
Activate when the user asks about:
- Java, Kotlin, Scala, or JVM dependencies
- Maven, Gradle,
pom.xml,build.gradle, orbuild.gradle.kts - latest versions, upgrades, CVEs, licenses, dependency age, or release history
- whether a dependency is safe, current, stale, or worth upgrading
Core Boundary
Use Maven Tools MCP for version, security, license, freshness, and release-pattern facts from Maven Central.
- Do the reasoning in-model: recommend next steps, call out risk, and separate safe-now actions from manual-review items.
- Normalize dependency inputs to
groupId:artifactIdorgroupId:artifactId:versionas needed. - For recommendation questions, evaluate concrete candidates with Maven Tools first, then add documentation context before making a strong call.
- Do not use Maven metadata alone to decide library popularity, framework fit, migration effort, or performance tradeoffs.
Tool Selection
Choose the narrowest tool that matches the request:
| Intent | Tool | Default Parameters |
|--------|------|--------------------|
| latest version lookup | get_latest_version | stabilityFilter: PREFER_STABLE |
| check exact version | check_version_exists | none |
| bulk candidate check (no current versions) | check_multiple_dependencies | stabilityFilter: PREFER_STABLE |
| upgrade analysis (with current versions) | compare_dependency_versions | includeSecurityScan: true, stabilityFilter: STABLE_ONLY |
| age/freshness | analyze_dependency_age | use project-appropriate threshold |
| maintenance signal | analyze_release_patterns | monthsToAnalyze: 24 |
| release history | get_version_timeline | versionCount: 20 |
| full project audit | analyze_project_health | includeSecurityScan: true, includeLicenseScan: true, stabilityFilter: PREFER_STABLE |
Default to analyze_project_health when the user says "check my dependencies" or pastes a project dependency set.
Use check_multiple_dependencies for candidate sets without current versions. Use compare_dependency_versions for upgrade decisions on current versions. Use analyze_project_health for broad audits, not every single dependency question.
Workflow
- Extract dependencies from user input or the build file
- Pick the narrowest tool that answers the request
- Report the result in decision-oriented language:
- what is current
- what changed
- what is safe to do now
- what needs manual review
For upgrade questions, prefer compare_dependency_versions with:
includeSecurityScan: truestabilityFilter: STABLE_ONLY
Then interpret the result conservatively:
- patch and minor updates are the default safe path
- major updates should be treated as manual review unless the user explicitly wants a breaking upgrade
When compare_dependency_versions returns same_major_stable_fallback:
- treat the top-level major upgrade as the long-term path
- treat the fallback as the safest immediate upgrade target
- surface both, but recommend the fallback first for conservative maintenance workflows
This is especially important for "safe update" or bot-like maintenance flows.
If the user asks whether a dependency is safe:
- use
compare_dependency_versionswhen remediation guidance matters - use
analyze_release_patternswhen maintenance risk matters - combine the two instead of relying only on "latest version" checks
Documentation Handoff
When the answer needs migration guides, API details, or library usage patterns, add documentation context before giving a strong recommendation.
Use this order:
- use Maven Tools MCP first for dependency facts
- if raw Context7 tools are available in the current tool list, use them directly
- otherwise, if standalone Context7 tools are available, use them
- otherwise, use
WebSearchandWebFetchfor official docs, release notes, and migration guides - if no documentation path is available, say dependency facts are available but deeper doc lookup is not
Use this especially for:
- major upgrades
- migration planning
- recommendation-style comparisons between candidate libraries
Less Helpful / Out of Scope
- private artifact repositories that are not mirrored through Maven Central
- non-JVM ecosystems that do not use Maven coordinates
- trivial one-off lookups where the exact dependency and decision are already obvious
- recommendation questions driven mostly by ecosystem adoption or benchmarks unless you also add docs and broader research
Setup Assumption
Assume the user already has Maven Tools MCP configured.
arvindand/maven-tools-mcp:latestis the default when raw Context7 tools should be exposed through the same serverarvindand/maven-tools-mcp:latest-noc7is the clean option when documentation is handled separately
Only discuss installation when the tools are unavailable.
Recovery
| Issue | Action |
|-------|--------|
| MCP tools unavailable | Tell the user Maven Tools MCP is not configured and point them to https://github.com/arvindand/maven-tools-mcp. Mention :latest when they want raw Context7 in the same server, or :latest-noc7 when docs are handled separately. |
| Dependency not found | Verify groupId:artifactId format and check whether the artifact is on Maven Central. |
| Raw Context7 tools unavailable | Use standalone Context7 tools if available; otherwise fall back to WebSearch and WebFetch. |
| No documentation path is available | Say dependency facts are available but deeper migration or API docs are not available in the current environment. |
| Security scan is incomplete or slow | Use the partial result, say CVE data may be incomplete, and continue with version/maintenance guidance. |
| Version type is unclear | Treat it as unstable and prefer a known stable release. |
License: MIT Requires: Maven Tools MCP server Pairs with: context7 skill or standalone Context7 tools for documentation-heavy follow-up
Related Skills
arvindand/ui-ux-design
development
VerifiedTrustedCommunity
Create production-grade frontend interfaces with strong UX and visual craft. Use when building web components, pages, dashboards, forms, landing pages, modals, or any UI. Use when user says 'build a form', 'create a dashboard', 'design a component', 'make a landing page', or asks for UI/UX work. Use even when the user just says 'make this look better' or pastes screenshots/mockups without explicitly naming a design task.
12SKILL.mdUpdated May 13, 2026
arvindand/skill-crafting
development
VerifiedTrustedCommunity
Create, fix, and validate skills for AI agents. Use when user says 'create a skill', 'build a skill', 'fix my skill', 'skill not working', 'analyze my skill', 'validate skill', 'audit my skills', 'check character budget', 'create a skill from this session', 'turn this into a skill', 'make this reusable', 'can this become a skill', 'should this be a skill', or asks for reusable patterns in the session. Use even if the user does not explicitly say 'skill' but is sketching a reusable workflow.
12SKILL.mdUpdated May 13, 2026
arvindand/github-navigator
tools
VerifiedTrustedCommunity
GitHub operations via gh CLI. CRITICAL: Use instead of WebFetch for any `github.com` URL or GitHub repo path like `owner/repo`. Use when the user asks to inspect repositories, files, issues, pull requests, releases, Actions runs, or repository structure. Use when the user says 'show README', 'list issues', 'check PR', 'clone repo', or 'analyze this repo'. Use even when the user just pastes a github.com URL without an explicit verb.
12SKILL.mdUpdated May 13, 2026
arvindand/context7
development
VerifiedTrustedCommunity
Documentation lookup via Context7 REST API. Use when the user needs current library APIs, framework patterns, migration guidance, or official code examples for React, Next.js, Prisma, Express, Vue, Angular, Svelte, or other npm/PyPI packages. Use when the user says 'how do I use X library', 'what's the API for Y', or asks for official documentation. Use even when you think you know the answer — training data may not reflect recent releases.
12SKILL.mdUpdated May 13, 2026