cookie-security-analyzer
Cookie Security Analyzer - Auto-activating skill for Security Fundamentals. Triggers on: cookie security analyzer, cookie security analyzer Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
99%
1.05xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/cookie-security-analyzer/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a title with no substantive content. It fails to describe what the skill actually does (e.g., what aspects of cookie security it analyzes), provides no natural trigger terms beyond repeating its own name, and lacks any explicit 'Use when...' guidance. It would be nearly impossible for Claude to reliably select this skill from a pool of similar security-related skills.
Suggestions
Add specific capabilities such as 'Analyzes cookie attributes including HttpOnly, Secure, SameSite, Domain, and Path flags for security misconfigurations'.
Add a 'Use when...' clause with natural trigger terms like 'cookie vulnerabilities', 'session security', 'cookie flags', 'HttpOnly', 'Secure attribute', 'SameSite policy', or 'web application cookie audit'.
Remove the duplicate trigger term ('cookie security analyzer' is listed twice) and replace with varied, natural phrases users would actually say when needing this skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names a domain ('Cookie Security') but describes no concrete actions. There are no specific capabilities listed like 'analyzes cookie attributes', 'checks HttpOnly/Secure flags', or 'identifies session vulnerabilities'. It's essentially just a label. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name itself, and the 'when' clause is just a redundant repetition of the skill name rather than meaningful trigger guidance. Both dimensions are very weak. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'cookie security analyzer' repeated twice. It misses natural user phrases like 'cookie vulnerabilities', 'session cookies', 'HttpOnly', 'Secure flag', 'SameSite', 'cookie audit', or 'web security cookies'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'cookie security' is somewhat specific and narrows the domain, which reduces conflict with generic security skills. However, without concrete actions or detailed triggers, it could still overlap with broader web security or application security skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is entirely a meta-description placeholder with no actual content about cookie security analysis. It contains no executable code, no specific security attributes to check (HttpOnly, Secure, SameSite, Domain, Path, Expires), no analysis workflow, and no concrete guidance whatsoever. It fails on every dimension because it describes what it should do rather than actually doing it.
Suggestions
Add concrete cookie security analysis steps: check for HttpOnly, Secure, SameSite, Domain scoping, expiration policies, and prefix conventions (__Host-, __Secure-)
Include executable code examples for parsing and analyzing cookies (e.g., Python script to inspect Set-Cookie headers and flag insecure attributes)
Define a clear workflow: 1) Extract cookies from response headers, 2) Check each attribute against security baseline, 3) Flag violations with severity levels, 4) Output a structured report
Replace the generic 'Example Triggers' and 'Capabilities' sections with actual reference material such as OWASP cookie security guidelines and common vulnerability patterns
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic filler that tells Claude nothing useful. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are vague platitudes. The entire file explains what the skill is rather than providing any actual cookie security analysis knowledge. | 1 / 3 |
Actionability | There is zero concrete, executable guidance. No code examples, no specific cookie attributes to check (HttpOnly, Secure, SameSite), no commands, no analysis steps. The content only describes the skill abstractly without instructing Claude how to actually analyze cookie security. | 1 / 3 |
Workflow Clarity | No workflow or process steps are defined. There is no sequence for analyzing cookies, no validation checkpoints, and no error handling. The skill claims to provide 'step-by-step guidance' but contains none. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of meta-description with no meaningful structure. There are no references to supporting files, no layered content organization, and no navigation to deeper resources despite the topic warranting detailed reference material. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.