http-header-security-audit
Http Header Security Audit - Auto-activating skill for Security Fundamentals. Triggers on: http header security audit, http header security audit Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
97%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/http-header-security-audit/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a title repeated with boilerplate auto-generated metadata. It provides no concrete actions, no meaningful trigger terms beyond the skill name, and no explicit guidance on when Claude should select this skill. It would be nearly indistinguishable from any generic security-related skill in a large skill library.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Analyzes HTTP response headers for security misconfigurations, checks for missing headers like HSTS, CSP, X-Frame-Options, and X-Content-Type-Options, and recommends remediation steps.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about security headers, wants to audit HTTP headers, mentions CSP, CORS, HSTS, cookie security flags, or web application hardening.'
Remove the duplicated trigger term ('http header security audit' is listed twice) and expand with varied natural language terms users might actually use, such as 'header hardening', 'missing security headers', 'web server security check'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('http header security audit') but does not describe any concrete actions. There are no specific capabilities listed such as 'checks for missing headers', 'validates HSTS configuration', or 'identifies insecure cookie flags'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond restating the skill name, and there is no explicit 'when to use' guidance. The 'Triggers on' line is just the skill name repeated, not meaningful trigger context. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'http header security audit' repeated twice. It misses natural variations users would say like 'security headers', 'CORS', 'CSP', 'content security policy', 'HSTS', 'X-Frame-Options', 'header check', or 'web security scan'. | 1 / 3 |
Distinctiveness Conflict Risk | The phrase 'http header security audit' is somewhat specific to a niche (HTTP header analysis), which provides some distinctiveness. However, the lack of concrete actions or scope boundaries means it could overlap with broader security audit or web security skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty template/placeholder with no actual content about HTTP header security auditing. It contains only meta-descriptions of what the skill would do without any actionable guidance, code, tools, header lists, or audit procedures. It provides zero value to Claude for performing HTTP header security audits.
Suggestions
Add concrete audit steps: list specific security headers to check (Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, etc.) with expected values and risk levels when missing.
Include executable code examples, such as a curl command or Python script to fetch and analyze HTTP headers from a target URL.
Add a clear workflow: 1) Fetch headers, 2) Check against required headers checklist, 3) Identify missing/misconfigured headers, 4) Generate findings report with severity ratings and remediation recommendations.
Remove all meta-description sections ('Purpose', 'When to Use', 'Example Triggers', 'Capabilities') and replace with actual technical content about HTTP header security auditing.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and meta-description. It explains what the skill does in abstract terms without providing any actual technical content about HTTP header security auditing. Every section restates the same vague idea. | 1 / 3 |
Actionability | There are zero concrete instructions, commands, code examples, or specific guidance. No HTTP headers are mentioned, no tools referenced, no audit steps provided. It describes rather than instructs. | 1 / 3 |
Workflow Clarity | There is no workflow whatsoever. The skill claims to provide 'step-by-step guidance' but contains no steps. An HTTP header security audit involves multiple steps (scanning, analyzing, recommending fixes) with none defined here. | 1 / 3 |
Progressive Disclosure | The content has section headers but they contain no substantive information. There are no references to detailed resources, no links to related files, and the structure is just a template shell with no real content to organize. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.