cookie-security-analyzer
Cookie Security Analyzer - Auto-activating skill for Security Fundamentals. Triggers on: cookie security analyzer, cookie security analyzer Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
99%
1.05xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/cookie-security-analyzer/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that restates the skill name without providing any meaningful information about capabilities, use cases, or trigger scenarios. It lacks concrete actions, natural trigger terms, and explicit 'when to use' guidance, making it nearly useless for skill selection among multiple options.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Analyzes cookie configurations for security issues including missing HttpOnly, Secure, and SameSite flags, identifies session fixation risks, and recommends cookie hardening measures.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about cookie security, session cookie vulnerabilities, cookie flags, HttpOnly, Secure attribute, SameSite policy, or web application cookie hardening.'
Remove the duplicate trigger term ('cookie security analyzer' is listed twice) and replace with diverse, natural phrases users would actually say, such as 'check my cookies', 'are my cookies secure', 'cookie best practices', 'session management security'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names a domain ('Cookie Security') but provides no concrete actions. It doesn't describe what the skill actually does—no mention of analyzing cookies, checking flags (HttpOnly, Secure, SameSite), identifying vulnerabilities, or any other specific capability. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name itself, and the 'when' clause is just a repetition of the skill name rather than meaningful trigger guidance. Both dimensions are very weak. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'cookie security analyzer' repeated twice. It misses natural user phrases like 'cookie vulnerabilities', 'HttpOnly', 'Secure flag', 'SameSite', 'session cookies', 'cookie settings', or 'web security audit'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'Cookie Security Analyzer' is somewhat specific to a niche (cookie security), which reduces conflict with unrelated skills. However, the lack of detail about what it does versus other security-related skills means overlap is still possible within a security skill set. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell with no substantive content. It consists entirely of generic meta-descriptions about what the skill supposedly does without providing any actual cookie security analysis guidance, code examples, or concrete instructions. It fails on every dimension because it teaches nothing—there are no cookie attributes mentioned (HttpOnly, Secure, SameSite, Path, Domain), no analysis methodology, and no executable examples.
Suggestions
Add concrete, executable code examples showing how to analyze cookie security attributes (e.g., checking for HttpOnly, Secure, SameSite flags) in at least one language/framework.
Define a clear workflow: 1) Extract cookies, 2) Check each security attribute against OWASP recommendations, 3) Report findings with severity levels, 4) Suggest fixes with code.
Replace all generic meta-descriptions ('Provides step-by-step guidance', 'Follows industry best practices') with actual security rules and specific cookie attribute requirements.
Add a quick-reference table of cookie attributes with their security implications and recommended values (e.g., SameSite=Lax/Strict, Secure=true, HttpOnly=true).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic filler text that provides no actionable information. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are vague platitudes that waste tokens without teaching Claude anything it doesn't already know. | 1 / 3 |
Actionability | There is zero concrete guidance—no code, no commands, no specific cookie security attributes (HttpOnly, Secure, SameSite), no examples of analyzing or setting cookies. The skill describes what it does rather than instructing how to do anything. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. The skill claims to provide 'step-by-step guidance' but contains none. There are no validation checkpoints or any sequenced instructions. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of generic meta-descriptions with no structured sections containing real content, no references to detailed files, and no meaningful organization beyond boilerplate headings. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.