http-header-security-audit
Http Header Security Audit - Auto-activating skill for Security Fundamentals. Triggers on: http header security audit, http header security audit Part of the Security Fundamentals skill category.
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill http-header-security-auditOverall
score
19%
Does it follow best practices?
Validation for skill structure
Activation
7%This description is essentially a placeholder that provides almost no useful information for skill selection. It repeats the skill name as trigger terms, lacks any explanation of capabilities or concrete actions, and provides no guidance on when Claude should select this skill. The description fails to leverage the specificity that HTTP header security auditing could offer.
Suggestions
Add specific actions the skill performs, such as 'Analyzes HTTP response headers for security misconfigurations, checks for missing security headers (CSP, HSTS, X-Frame-Options), and provides remediation recommendations.'
Include a 'Use when...' clause with natural trigger scenarios like 'Use when reviewing web application security, checking HTTP headers, auditing CSP policies, or when users mention security headers, CORS, or header hardening.'
Add natural keyword variations users might say: 'security headers', 'CSP audit', 'HSTS check', 'X-Content-Type-Options', 'header hardening', 'web security scan'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description only names the domain 'Http Header Security Audit' but provides no concrete actions. It doesn't explain what the skill actually does - no mention of analyzing headers, checking configurations, identifying vulnerabilities, or generating reports. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the title, and provides no explicit 'when to use' guidance. The 'Triggers on' line just repeats the skill name rather than describing actual use cases or scenarios. | 1 / 3 |
Trigger Term Quality | The trigger terms listed are just the skill name repeated twice ('http header security audit'). Missing natural variations users might say like 'check headers', 'security headers', 'CSP', 'CORS', 'X-Frame-Options', 'HSTS', or 'header analysis'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'Http Header Security Audit' is somewhat specific to a niche domain, which provides some distinctiveness. However, without concrete actions described, it could overlap with general security scanning or web security skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%This skill is essentially a placeholder with no substantive content. It describes what an HTTP header security audit skill would do but provides absolutely no actionable guidance, code examples, header checklists, or audit procedures. The entire content could be replaced with actual technical instructions for checking security headers.
Suggestions
Add a concrete checklist of HTTP security headers to audit (e.g., Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
Include executable code examples for fetching and analyzing headers, such as curl commands or Python requests snippets
Provide a scoring/validation workflow: fetch headers -> check against requirements -> report missing/misconfigured headers -> suggest fixes
Add specific remediation examples showing correct header configurations for common web servers (nginx, Apache) or frameworks
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing Claude doesn't already know. Phrases like 'provides automated assistance' and 'follows industry best practices' are meaningless filler with no actual technical content. | 1 / 3 |
Actionability | There is zero concrete guidance - no code, no commands, no specific steps for performing an HTTP header security audit. The skill describes what it claims to do rather than instructing how to do it. | 1 / 3 |
Workflow Clarity | No workflow is provided whatsoever. A security audit skill should include specific headers to check (CSP, HSTS, X-Frame-Options, etc.), validation steps, and remediation guidance, but none of this exists. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of vague descriptions with no structure for actual learning. There are no references to detailed materials, examples, or related documentation that would help with HTTP header security auditing. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
69%Validation — 11 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 11 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.