cors-policy-validator
Cors Policy Validator - Auto-activating skill for Security Fundamentals. Triggers on: cors policy validator, cors policy validator Part of the Security Fundamentals skill category.
41
11%
Does it follow best practices?
Impact
98%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/cors-policy-validator/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a title repeated with boilerplate category metadata. It fails to describe any concrete capabilities, lacks natural trigger terms users would use, and provides no explicit guidance on when Claude should select this skill. It reads as auto-generated template content rather than a useful skill description.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Validates CORS policy configurations, checks Access-Control headers for misconfigurations, and identifies overly permissive origin rules.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about CORS errors, cross-origin policies, Access-Control-Allow-Origin headers, or needs to validate CORS configurations.'
Remove the redundant duplicate trigger term ('cors policy validator' is listed twice) and replace with varied natural language terms users would actually say.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions. It says 'Cors Policy Validator' but never describes what it actually does—no mention of validating, checking, analyzing, or any specific operations on CORS policies. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond restating the skill name, and the 'when' is limited to a redundant trigger phrase with no explicit 'Use when...' clause or meaningful trigger guidance. | 1 / 3 |
Trigger Term Quality | It includes 'cors policy validator' as a trigger term (repeated twice), which is somewhat relevant, but misses natural variations users would say like 'CORS headers', 'cross-origin', 'Access-Control-Allow-Origin', 'CORS configuration', or 'CORS errors'. | 2 / 3 |
Distinctiveness Conflict Risk | The term 'CORS policy validator' is fairly specific to a niche domain, which helps with distinctiveness, but the vague 'Security Fundamentals' category and lack of concrete actions could cause overlap with other security-related skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell with no substantive content. It contains only generic boilerplate descriptions that could apply to any skill topic, with no actual CORS policy validation logic, examples, code, or actionable guidance. It fails on every dimension of the rubric.
Suggestions
Add concrete, executable code examples for CORS policy validation (e.g., a Python/JS function that checks Access-Control-Allow-Origin headers against a whitelist and flags misconfigurations like wildcard origins with credentials).
Define a clear workflow: 1) Extract CORS headers from response, 2) Validate against security rules (no wildcard with credentials, restricted methods, etc.), 3) Report findings with severity levels and remediation steps.
Include specific examples of secure vs. insecure CORS configurations (e.g., 'Access-Control-Allow-Origin: *' with 'Access-Control-Allow-Credentials: true' is dangerous) rather than vague references to 'best practices'.
Remove all boilerplate sections (Purpose, When to Use, Capabilities, Example Triggers) that contain no actionable information and replace with actual technical content about CORS security validation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and boilerplate. It explains what the skill does in vague, repetitive terms without providing any actual technical content. Every section restates the same information in different ways. | 1 / 3 |
Actionability | There is zero concrete guidance—no code, no commands, no specific CORS policy examples, no validation logic, no configuration snippets. It only describes what it could do rather than instructing how to do anything. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. For a 'validator' skill, there are no validation steps, no input/output examples, no error handling, and no feedback loops. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of vague descriptions with no references to supporting files, no structured navigation, and no separation of concerns. There are no bundle files to reference either. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.