analyzing-security-headers
This skill analyzes HTTP security headers of a given domain to identify potential vulnerabilities and misconfigurations. It provides a detailed report with a grade, score, and recommendations for improvement. Use this skill when the user asks to "analyze security headers", "check HTTP security", "scan for security vulnerabilities", or requests a "security audit" of a website. It will automatically activate when security-related keywords are used in conjunction with domain names or URLs.
87
53%
Does it follow best practices?
Impact
94%
1.16xAverage score across 9 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-headers-analyzer/skills/security-headers-analyzer/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates what the skill does (analyzes HTTP security headers, provides graded reports with recommendations), when to use it (explicit trigger phrases and activation conditions), and occupies a distinct niche. It uses third-person voice consistently and includes natural trigger terms that users would actually say.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: analyzes HTTP security headers, identifies vulnerabilities and misconfigurations, provides a detailed report with grade/score/recommendations. These are specific, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes HTTP security headers, provides report with grade/score/recommendations) and 'when' (explicit 'Use this skill when...' clause with multiple trigger phrases and activation conditions). | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'analyze security headers', 'check HTTP security', 'scan for security vulnerabilities', 'security audit', plus mentions 'domain names or URLs'. Good coverage of natural variations. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to HTTP security headers analysis of domains/URLs. The niche is well-defined and distinct — unlikely to conflict with general security skills, code review skills, or generic web tools. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content reads like a marketing description rather than an actionable skill. It lacks any concrete implementation details—no code, no specific headers to check, no scoring criteria, no report format, and no commands. The two examples are virtually identical and add no instructional value. The content tells Claude what the skill does conceptually but never tells it how to actually do it.
Suggestions
Add concrete implementation: include a curl command or Python script to fetch headers, a specific list of security headers to check (e.g., Strict-Transport-Security, Content-Security-Policy, X-Frame-Options), and the criteria for grading each one.
Define the output format: provide an example report with actual header analysis, scores, grades, and recommendations so Claude knows exactly what to produce.
Remove redundant sections: 'When to Use This Skill' repeats the description, and both examples describe identical generic steps. Replace with one concrete example showing actual input URL and expected output report.
Add a scoring rubric: specify how the grade (A-F) and numeric score are calculated based on which headers are present/missing/misconfigured.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains things Claude already knows. The 'How It Works' section describes obvious steps (fetch headers, analyze, generate report). The 'When to Use This Skill' section repeats the description. Both examples are nearly identical and describe the same three generic steps without adding value. The 'Overview' restates the description. | 1 / 3 |
Actionability | There is no concrete code, no specific commands, no executable examples, and no actual list of which headers to check or how to check them. The content describes what the skill does abstractly ('the plugin fetches...analyzes...generates') without providing any actionable implementation details like curl commands, specific header names to validate, scoring criteria, or report format. | 1 / 3 |
Workflow Clarity | The steps listed are vague and high-level ('fetch headers', 'analyze headers', 'generate report') with no validation checkpoints, no error handling, no specifics about what constitutes a passing/failing header, and no concrete scoring methodology. There is no feedback loop or recovery path. | 1 / 3 |
Progressive Disclosure | The content is organized into sections with headers, which provides some structure. However, there are no references to external files, no bundle files exist, and content that could benefit from separation (like a detailed header checklist or scoring rubric) is neither inline nor referenced. The structure exists but doesn't serve progressive disclosure since there's no detailed content to disclose. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.