cors-policy-validator
Cors Policy Validator - Auto-activating skill for Security Fundamentals. Triggers on: cors policy validator, cors policy validator Part of the Security Fundamentals skill category.
36
Quality
3%
Does it follow best practices?
Impact
98%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/cors-policy-validator/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is severely lacking in substance. It reads like auto-generated boilerplate that names the skill and category but provides zero information about what the skill actually does, what capabilities it offers, or when it should be selected. Claude would have no meaningful basis to choose this skill over others.
Suggestions
Add specific actions the skill performs, e.g., 'Validates CORS headers, checks Access-Control-Allow-Origin configurations, identifies overly permissive policies, and recommends secure CORS settings.'
Include a 'Use when...' clause with natural trigger terms like 'Use when reviewing CORS configurations, checking cross-origin policies, debugging CORS errors, or securing API endpoints.'
Add common user phrases and file types, e.g., 'CORS headers, cross-origin requests, Access-Control headers, preflight requests, origin whitelist, .htaccess, nginx.conf'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description only names the skill ('Cors Policy Validator') without describing any concrete actions. There are no verbs indicating what the skill actually does - no mention of validating, checking, analyzing, or any specific capabilities. | 1 / 3 |
Completeness | The description fails to answer both 'what does this do' and 'when should Claude use it'. It only states it's an 'auto-activating skill' in a category, with no explanation of functionality or explicit usage triggers. | 1 / 3 |
Trigger Term Quality | The trigger terms listed are just the skill name repeated twice ('cors policy validator, cors policy validator'). Missing natural user terms like 'CORS', 'cross-origin', 'Access-Control headers', 'origin policy', or 'browser security'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'CORS' is somewhat specific to cross-origin resource sharing validation, which provides some distinctiveness. However, the lack of detail about what aspects of CORS it handles could cause overlap with general security or web configuration skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a placeholder template with no actual instructional content. It describes what the skill claims to do but provides zero actionable guidance on CORS policy validation—no code examples, no validation criteria, no security checks, and no workflow. The content would be useless for teaching Claude how to validate CORS policies.
Suggestions
Add concrete examples of CORS policy validation, including code to parse and check Access-Control-Allow-Origin, Access-Control-Allow-Methods, and other CORS headers
Include a checklist of common CORS misconfigurations to detect (e.g., wildcard origins with credentials, overly permissive methods)
Provide a step-by-step workflow: 1) Extract CORS headers, 2) Check against security rules, 3) Report findings with severity levels
Add example inputs (sample CORS configurations) and expected outputs (validation results) to make the skill actionable
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing specific about CORS policy validation. Phrases like 'provides automated assistance' and 'follows industry best practices' are filler that Claude doesn't need. | 1 / 3 |
Actionability | No concrete code, commands, or specific guidance is provided. The skill describes what it does in abstract terms but never shows how to actually validate a CORS policy or what to look for. | 1 / 3 |
Workflow Clarity | No workflow is defined. There are no steps, no validation checkpoints, and no process for actually performing CORS policy validation. The content only describes trigger conditions. | 1 / 3 |
Progressive Disclosure | The content is a flat, uninformative document with no references to detailed materials, examples, or related documentation. There's nothing to disclose progressively because there's no substantive content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
994edc4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.