content-security-policy-generator
Content Security Policy Generator - Auto-activating skill for Security Fundamentals. Triggers on: content security policy generator, content security policy generator Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
96%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/content-security-policy-generator/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a title and category label with no substantive content. It fails to describe what the skill actually does, provides no natural trigger terms beyond the repeated skill name, and lacks any 'Use when...' guidance. It would be nearly indistinguishable from a placeholder.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Generates Content-Security-Policy headers, configures directives (script-src, style-src, img-src), validates existing CSP rules, and recommends nonce or hash-based policies.'
Add an explicit 'Use when...' clause with trigger scenarios, e.g., 'Use when the user asks about CSP, security headers, Content-Security-Policy, browser content restrictions, or XSS prevention via headers.'
Include natural keyword variations users would actually say, such as 'CSP', 'CSP header', 'security headers', 'XSS protection', 'script-src directive', and '.htaccess security'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('Content Security Policy Generator') but does not describe any concrete actions. There are no specific capabilities listed such as 'generates CSP headers', 'validates directives', or 'configures nonce-based policies'. | 1 / 3 |
Completeness | The description fails to answer both 'what does this do' (no concrete actions) and 'when should Claude use it' (no 'Use when...' clause or equivalent explicit trigger guidance). It only states the skill name and category. | 1 / 3 |
Trigger Term Quality | The trigger terms are just the skill name repeated twice ('content security policy generator'). It misses natural variations users would say like 'CSP', 'CSP header', 'security headers', 'script-src', 'Content-Security-Policy', or 'browser security policy'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'Content Security Policy' is fairly specific to a particular web security concept, which provides some distinctiveness. However, the vague framing as part of 'Security Fundamentals' could overlap with other security-related skills, and the lack of specific actions reduces clarity. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell—a template placeholder with no substantive content about Content Security Policies. It contains no CSP directives, no example headers, no generation logic, and no actionable guidance whatsoever. It fails on every dimension because it describes what a skill would do rather than actually teaching anything.
Suggestions
Add concrete CSP directive examples (e.g., `Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com;`) with explanations of common directives like default-src, script-src, style-src, img-src, connect-src.
Provide a step-by-step workflow: 1) Audit current resource origins, 2) Draft policy in report-only mode, 3) Monitor violations via report-uri, 4) Tighten policy, 5) Enforce—with validation at each step.
Include a ready-to-use CSP generator code snippet or template that takes inputs (allowed domains, inline script needs, etc.) and outputs a complete policy header.
Remove all meta-description sections ('When to Use', 'Example Triggers', 'Capabilities') that describe the skill abstractly and replace them with actual CSP content, common pitfalls (e.g., unsafe-inline risks), and OWASP references.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is almost entirely filler and meta-description. It explains what the skill does in abstract terms without providing any actual CSP knowledge, directives, or examples. Every section restates the same vague information. | 1 / 3 |
Actionability | There is zero concrete guidance—no CSP directives, no example policies, no code snippets, no commands. The content describes rather than instructs, offering nothing Claude could execute or apply. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. The skill claims to provide 'step-by-step guidance' but contains none. There are no validation checkpoints or sequenced instructions. | 1 / 3 |
Progressive Disclosure | The content is a flat, monolithic block of vague descriptions with no references to detailed materials, no links to examples or advanced topics, and no meaningful structural organization beyond boilerplate headings. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
87f14eb
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.