http-header-security-audit
Http Header Security Audit - Auto-activating skill for Security Fundamentals. Triggers on: http header security audit, http header security audit Part of the Security Fundamentals skill category.
36
Quality
3%
Does it follow best practices?
Impact
97%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/http-header-security-audit/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that provides almost no useful information for skill selection. It repeats the skill name as triggers, offers no explanation of capabilities, and lacks any guidance on when to use it. The description reads like auto-generated boilerplate rather than a thoughtful skill description.
Suggestions
Add specific actions the skill performs, e.g., 'Analyzes HTTP response headers for security misconfigurations, checks for missing headers like CSP, HSTS, X-Frame-Options, and provides remediation recommendations.'
Include a 'Use when...' clause with natural trigger terms: 'Use when the user asks about security headers, wants to audit HTTP headers, mentions CSP/CORS/HSTS, or needs to check web application header security.'
Remove the duplicate trigger term and replace with varied natural language users would actually say when needing this skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description only names the domain 'Http Header Security Audit' but provides no concrete actions. It doesn't explain what the skill actually does - no verbs describing capabilities like 'analyzes headers', 'identifies vulnerabilities', or 'recommends fixes'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the title, and provides no 'when should Claude use it' guidance. The 'Triggers on' line is redundant repetition rather than meaningful trigger guidance. | 1 / 3 |
Trigger Term Quality | The trigger terms are redundantly listed twice ('http header security audit, http header security audit') and represent only technical jargon. Missing natural user terms like 'check my headers', 'security headers', 'CSP', 'CORS', 'X-Frame-Options', or 'header vulnerabilities'. | 1 / 3 |
Distinctiveness Conflict Risk | The phrase 'Http Header Security Audit' is somewhat specific to a niche (HTTP security headers), but without concrete actions or clear triggers, it could overlap with general security scanning or web security skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a placeholder with no actionable content. It describes what an HTTP header security audit skill would do but provides zero actual guidance on performing the audit - no headers to check (CSP, HSTS, X-Frame-Options, etc.), no tools or commands, no example outputs, and no validation criteria.
Suggestions
Add a concrete checklist of security headers to audit (e.g., Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options) with expected secure values
Include executable code or curl commands to fetch and analyze headers from a target URL
Provide example output showing what a secure vs insecure header configuration looks like
Add a clear workflow: 1) Fetch headers, 2) Check against security baseline, 3) Report findings with severity ratings
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing specific about HTTP header security audits. Phrases like 'provides automated assistance' and 'follows industry best practices' are filler that Claude doesn't need. | 1 / 3 |
Actionability | No concrete guidance whatsoever - no code, no commands, no specific headers to check, no examples of vulnerabilities to look for. The skill describes what it does rather than instructing how to do it. | 1 / 3 |
Workflow Clarity | No workflow is defined. For a security audit task, there should be clear steps: what headers to check, how to test them, what values indicate vulnerabilities, and how to report findings. None of this is present. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of vague descriptions with no structure for actual learning. No references to detailed materials, no examples section, no separation of quick-start vs advanced content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
994edc4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.