insecure-deserialization-checker
Insecure Deserialization Checker - Auto-activating skill for Security Fundamentals. Triggers on: insecure deserialization checker, insecure deserialization checker Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
99%
0.99xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/insecure-deserialization-checker/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak—it is essentially a title repeated as a trigger with no explanation of what the skill does, how it works, or when it should be selected. It reads like auto-generated boilerplate rather than a useful skill description. It would be nearly impossible for Claude to make an informed selection decision based on this text.
Suggestions
Add concrete actions the skill performs, e.g., 'Detects insecure deserialization vulnerabilities in code by scanning for unsafe use of pickle, yaml.load, Java ObjectInputStream, and similar patterns.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about deserialization vulnerabilities, object injection, untrusted data parsing, or wants to check code for unsafe deserialization patterns.'
Remove the duplicated trigger term and replace with diverse, natural keyword variations users might actually use, such as 'deserialization attack', 'object injection', 'pickle vulnerability', 'Java serialization exploit'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('insecure deserialization') but describes no concrete actions. There is no indication of what the skill actually does—no verbs like 'detect', 'scan', 'analyze', or 'report'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond naming itself, and the 'when' clause is essentially just the skill name repeated. There is no explicit 'Use when...' guidance with meaningful triggers. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'insecure deserialization checker' repeated twice. It lacks natural user language variations such as 'deserialization vulnerability', 'object injection', 'pickle exploit', 'untrusted data deserialization', or related terms users might actually say. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'insecure deserialization' is fairly specific to a particular vulnerability class, which provides some distinctiveness. However, the vague framing as part of 'Security Fundamentals' could overlap with other security-related skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty placeholder that contains no actual instructional content. It repeatedly references 'insecure deserialization checker' without ever explaining what insecure deserialization is, how to detect it, or what to do about it. It provides no code, no commands, no examples, and no concrete guidance of any kind.
Suggestions
Add concrete, executable code examples showing how to detect insecure deserialization vulnerabilities (e.g., scanning for pickle.loads(), yaml.load() without SafeLoader, Java ObjectInputStream usage)
Provide a clear step-by-step workflow: 1) identify serialization points, 2) check for unsafe deserializers, 3) validate/remediate with specific patterns, 4) verify fixes
Include specific examples of vulnerable vs. safe code patterns for at least 2-3 languages (Python, Java, PHP) with concrete remediation steps
Remove all meta-description sections ('Purpose', 'When to Use', 'Example Triggers') and replace with actual instructional content that teaches Claude how to perform deserialization security checks
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler with no substantive information. It explains what the skill does in abstract terms without providing any actual guidance, code, or concrete instructions. Every section restates the skill name without adding value. | 1 / 3 |
Actionability | There is zero actionable content—no code, no commands, no specific steps, no concrete examples of how to detect or prevent insecure deserialization. The 'Capabilities' section describes what it claims to do but never actually does it. | 1 / 3 |
Workflow Clarity | No workflow is defined at all. There are no steps, no sequence, no validation checkpoints. The skill merely describes itself in meta terms without providing any process for checking insecure deserialization. | 1 / 3 |
Progressive Disclosure | The content is a flat, shallow placeholder with no meaningful structure. There are no references to detailed materials, no linked resources, and no organized sections containing actual content to disclose progressively. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.