checking-session-security
This skill enables Claude to check session security implementations within a codebase. It analyzes session management practices to identify potential vulnerabilities. Use this skill when a user requests to "check session security", "audit session handling", "review session implementation", or asks about "session security best practices" in their code. It helps identify issues like insecure session IDs, lack of proper session expiration, or insufficient protection against session fixation attacks. This skill leverages the session-security-checker plugin.
90
53%
Does it follow best practices?
Impact
97%
1.02xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/session-security-checker/skills/session-security-checker/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its purpose, lists specific capabilities, and provides explicit trigger guidance. It covers concrete vulnerability types (session IDs, expiration, session fixation) which help both in matching user intent and distinguishing from other security-related skills. The only minor note is the mention of 'session-security-checker plugin' which adds implementation detail but doesn't detract from clarity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzes session management practices, identifies insecure session IDs, checks for lack of proper session expiration, and detects insufficient protection against session fixation attacks. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes session management practices, identifies vulnerabilities like insecure session IDs, lack of expiration, session fixation) and 'when' (explicit 'Use this skill when...' clause with multiple trigger phrases). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'check session security', 'audit session handling', 'review session implementation', 'session security best practices', plus specific vulnerability terms like 'session fixation', 'session expiration', and 'session IDs'. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a clear niche focused specifically on session security within codebases. The trigger terms are highly specific to session management and unlikely to conflict with general security auditing or other code review skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is almost entirely abstract and descriptive rather than actionable. It explains what the skill does conceptually but provides zero concrete implementation: no code, no commands, no tool invocations, no specific patterns to look for, and no reference to the 'session-security-checker plugin' mentioned in the description. It reads more like a marketing summary than an operational skill file.
Suggestions
Add concrete, executable examples showing how to invoke the session-security-checker plugin with actual commands and expected output formats.
Replace the abstract 'How It Works' section with specific steps: what files/patterns to search for, what tools to run, and what the output looks like.
Remove the 'When to Use This Skill' and 'Best Practices' sections — these repeat the description metadata and contain generic knowledge Claude already has.
Add a concrete example showing a vulnerable code snippet, the detection logic, and the expected report output format.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what session fixation is, what session expiration means, basic security concepts). The 'When to Use This Skill' section repeats the description. The 'Best Practices' section lists generic security advice that Claude inherently understands. Nearly every section could be significantly trimmed. | 1 / 3 |
Actionability | There is no concrete code, no executable commands, no specific tool invocations, and no actual implementation details. The skill describes what it will do in abstract terms ('analyze the code', 'identify vulnerabilities', 'generate a report') without showing how. The examples are vague descriptions of behavior rather than actionable guidance. The mention of a 'session-security-checker plugin' in the description is never referenced with actual usage instructions. | 1 / 3 |
Workflow Clarity | The three-step workflow ('Analyze Codebase', 'Identify Vulnerabilities', 'Generate Report') is entirely abstract with no concrete steps, no commands, no validation checkpoints, and no error recovery. The examples similarly list vague steps without any specifics on what tools to run or how to verify results. | 1 / 3 |
Progressive Disclosure | The content is organized into logical sections with clear headings, which provides some structure. However, there are no references to external files, no bundle files to reference, and the content that is present is shallow rather than appropriately split. The organization is reasonable but the content itself doesn't warrant the structure given its lack of substance. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.