http-header-security-audit
Http Header Security Audit - Auto-activating skill for Security Fundamentals. Triggers on: http header security audit, http header security audit Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
97%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/http-header-security-audit/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that restates the skill name without providing any meaningful detail about capabilities, actions, or usage triggers. It reads like auto-generated boilerplate from a template rather than a crafted description. It would be nearly useless for Claude to differentiate this skill from other security-related skills in a large skill library.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Analyzes HTTP response headers for security misconfigurations, checks for missing headers like HSTS, CSP, X-Frame-Options, and X-Content-Type-Options, and provides remediation recommendations.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security headers, HTTP header hardening, CSP policies, CORS configuration, HSTS setup, or web application security audits.'
Remove the duplicated trigger term ('http header security audit' is listed twice) and replace with diverse natural language variations users would actually use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('http header security audit') but does not describe any concrete actions. There are no specific capabilities listed such as 'checks for missing headers', 'validates HSTS configuration', or 'detects insecure cookie flags'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond restating the skill name, and there is no explicit 'when to use' guidance. The 'Triggers on' line is just the skill name repeated, not meaningful trigger context. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'http header security audit' repeated twice. It misses natural variations users would say like 'security headers', 'CORS', 'CSP', 'content security policy', 'HSTS', 'X-Frame-Options', 'header check', or 'web security scan'. | 1 / 3 |
Distinctiveness Conflict Risk | The phrase 'http header security audit' is somewhat specific to a niche (HTTP header analysis), which provides some distinctiveness. However, the lack of concrete detail means it could overlap with broader security audit or web security skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a placeholder with no substantive content. It contains only meta-descriptions and trigger phrases but provides zero actionable guidance on how to actually perform an HTTP header security audit. It fails on every dimension because it describes what it would do rather than actually doing it.
Suggestions
Add a concrete checklist of security-relevant HTTP headers to audit (e.g., Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Permissions-Policy) with expected values and risk levels.
Include executable examples such as a curl command to inspect headers (`curl -I https://example.com`) and a Python script or shell one-liner to parse and evaluate the response headers against security best practices.
Define a clear workflow: 1) Fetch headers, 2) Check each header against a security baseline, 3) Flag missing/misconfigured headers, 4) Generate a report with severity ratings and remediation guidance.
Remove the boilerplate 'When to Use,' 'Capabilities,' and 'Example Triggers' sections which consume tokens without adding value, and replace them with actual technical content.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is almost entirely filler and meta-description. It explains what the skill does in abstract terms without providing any actual technical content about HTTP header security auditing. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are empty padding. | 1 / 3 |
Actionability | There is zero concrete, executable guidance. No specific HTTP headers are mentioned (e.g., CSP, HSTS, X-Frame-Options), no commands or code for auditing headers, no curl examples, no tools referenced, no checklist of headers to verify. The skill describes rather than instructs. | 1 / 3 |
Workflow Clarity | No workflow is defined at all. Despite claiming to provide 'step-by-step guidance,' there are no actual steps, no sequence, no validation checkpoints, and no process for conducting an HTTP header security audit. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of vague descriptions with no structure that aids discovery. There are no references to supporting files, no separation of quick-start vs. advanced content, and no bundle files to support it. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.