analyzing-security-headers
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill analyzing-security-headersThis skill analyzes HTTP security headers of a given domain to identify potential vulnerabilities and misconfigurations. It provides a detailed report with a grade, score, and recommendations for improvement. Use this skill when the user asks to "analyze security headers", "check HTTP security", "scan for security vulnerabilities", or requests a "security audit" of a website. It will automatically activate when security-related keywords are used in conjunction with domain names or URLs.
Validation
81%| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
Total | 13 / 16 Passed | |
Implementation
20%This skill content is overly descriptive and lacks actionable guidance. It explains what the skill does conceptually but provides no concrete implementation details, specific headers to check, scoring criteria, or example output formats. The examples are nearly identical and don't demonstrate different scenarios or expected outputs.
Suggestions
Remove the 'How It Works' and 'When to Use This Skill' sections - these describe obvious plugin behavior that Claude doesn't need explained.
Add concrete details: list the specific security headers being checked (HSTS, CSP, X-Frame-Options, etc.) with their expected values or configurations.
Include an example output format showing what the security report looks like (grade scale, score calculation, recommendation format).
Add error handling guidance for edge cases like unreachable domains, redirects, or sites returning unusual responses.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Highly verbose with unnecessary explanations of what the skill does, when to use it, and repetitive examples. Claude doesn't need explanations like 'This skill allows Claude to automatically analyze' or detailed 'How It Works' sections describing obvious plugin behavior. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance. The content describes what happens abstractly ('The skill will fetch headers') but provides no actual implementation details, API calls, or specific header checks to perform. | 1 / 3 |
Workflow Clarity | Steps are listed in 'How It Works' but they describe plugin behavior rather than actionable workflow. No validation checkpoints or error handling for cases like unreachable domains or redirect chains. | 2 / 3 |
Progressive Disclosure | Content is organized into sections but everything is inline in one file. The 'Integration' section hints at other plugins but provides no references. For a simple skill this could work, but the content itself is bloated rather than well-structured. | 2 / 3 |
Total | 6 / 12 Passed |
Activation
100%This is a well-crafted skill description that excels across all dimensions. It clearly specifies concrete capabilities (header analysis, vulnerability identification, graded reports), includes natural trigger terms users would actually say, explicitly states when to use it, and carves out a distinct niche around HTTP security header analysis for websites.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple concrete actions: 'analyzes HTTP security headers', 'identify potential vulnerabilities and misconfigurations', 'provides a detailed report with a grade, score, and recommendations for improvement'. These are specific, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both what (analyzes HTTP security headers, provides reports with grades/scores/recommendations) AND when (explicit 'Use this skill when...' clause with specific trigger phrases and activation conditions). | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'analyze security headers', 'check HTTP security', 'scan for security vulnerabilities', 'security audit', 'domain names or URLs'. Good coverage of variations. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on HTTP security headers analysis for domains/URLs. The combination of 'security headers' + 'domain/URL' creates distinct triggers unlikely to conflict with general security or general web skills. | 3 / 3 |
Total | 12 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.