analyzing-security-headers
This skill analyzes HTTP security headers of a given domain to identify potential vulnerabilities and misconfigurations. It provides a detailed report with a grade, score, and recommendations for improvement. Use this skill when the user asks to "analyze security headers", "check HTTP security", "scan for security vulnerabilities", or requests a "security audit" of a website. It will automatically activate when security-related keywords are used in conjunction with domain names or URLs.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill analyzing-security-headers88
Quality
60%
Does it follow best practices?
Impact
94%
1.16xAverage score across 9 eval scenarios
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-headers-analyzer/skills/security-headers-analyzer/SKILL.mdDiscovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific capabilities (header analysis, vulnerability identification, graded reports), includes natural trigger terms users would actually say, explicitly states when to use it, and carves out a distinct niche that won't conflict with other skills. The description uses proper third-person voice throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: 'analyzes HTTP security headers', 'identify potential vulnerabilities and misconfigurations', 'provides a detailed report with a grade, score, and recommendations for improvement'. These are specific, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both what (analyzes HTTP security headers, provides reports with grades/scores/recommendations) AND when (explicit 'Use this skill when...' clause with multiple trigger phrases and activation conditions). | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'analyze security headers', 'check HTTP security', 'scan for security vulnerabilities', 'security audit', 'domain names or URLs'. Good coverage of variations a user might naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche: HTTP security headers analysis for domains/URLs. The combination of 'security headers', 'HTTP', and 'domain/URL' creates a distinct trigger profile unlikely to conflict with general security or general web skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is overly descriptive and lacks actionable guidance. It explains concepts Claude already understands (what HTTP headers are, when to use security analysis) while failing to provide concrete implementation details, expected output formats, or specific header checks to perform. The examples are nearly identical and don't demonstrate actual outputs or edge cases.
Suggestions
Replace the verbose 'How It Works' and 'When to Use' sections with a concise quick-start showing the exact command/API call and expected output format
Add concrete examples of actual security header analysis output (e.g., specific headers to check like X-Frame-Options, CSP, HSTS with their expected values and failure conditions)
Include specific validation steps: what to do if the domain is unreachable, how to handle redirects, what constitutes a passing vs failing grade
Remove redundant examples that describe the same workflow twice - instead show one example with actual sample output
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Highly verbose with unnecessary explanations of what the skill does, when to use it, and repetitive examples. Claude doesn't need explanations like 'This skill allows Claude to automatically analyze' or detailed 'How It Works' sections describing obvious plugin behavior. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance. The content describes what happens abstractly ('The skill will fetch headers') but provides no actual implementation details, API calls, or specific output formats Claude should produce. | 1 / 3 |
Workflow Clarity | Steps are listed in a sequence (fetch, analyze, generate report) but lack any validation checkpoints, error handling, or specific details about what constitutes a proper analysis. No guidance on handling edge cases like unreachable domains or redirects. | 2 / 3 |
Progressive Disclosure | Content is organized into sections but everything is inline in one file. The 'Integration' section hints at other plugins but doesn't provide clear references. The structure exists but content that could be condensed is spread across verbose sections. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.