insecure-deserialization-checker
Insecure Deserialization Checker - Auto-activating skill for Security Fundamentals. Triggers on: insecure deserialization checker, insecure deserialization checker Part of the Security Fundamentals skill category.
Overall
score
23%
Does it follow best practices?
Validation for skill structure
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill insecure-deserialization-checkerActivation
7%This description is severely lacking in substance - it's essentially just a title with no explanation of capabilities, actions, or use cases. The trigger terms are redundant (same phrase repeated) and miss natural language variations users would employ. The description fails to help Claude understand when to select this skill over other security-related skills.
Suggestions
Add specific actions the skill performs, e.g., 'Detects insecure deserialization vulnerabilities in code, identifies unsafe pickle/yaml/JSON parsing, and flags untrusted object instantiation patterns.'
Include a 'Use when...' clause with natural trigger terms: 'Use when reviewing code for serialization vulnerabilities, analyzing pickle/marshal usage, checking for object injection risks, or auditing data deserialization in Python, Java, PHP, or .NET applications.'
Remove the duplicate trigger term and expand with user-natural phrases like 'serialization security', 'pickle vulnerability', 'object injection', 'untrusted deserialization'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions - it only names itself ('Insecure Deserialization Checker') without explaining what it actually does. There are no verbs describing capabilities like 'detects', 'analyzes', or 'scans'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' (no actions described) and 'when should Claude use it' (no explicit use cases or scenarios). The 'Triggers on' section just repeats the skill name rather than providing meaningful trigger guidance. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are the skill name repeated twice ('insecure deserialization checker'). Missing natural user terms like 'serialization vulnerability', 'pickle exploit', 'object injection', 'untrusted data', or specific language/framework references. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'insecure deserialization' is fairly specific to a particular vulnerability class, which provides some distinctiveness. However, without describing what it checks or how, it could overlap with other security scanning skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
7%This skill is a placeholder template with no actual content about insecure deserialization detection. It contains only meta-descriptions of what a skill should do without any concrete guidance on identifying serialization vulnerabilities, dangerous patterns to look for, or remediation steps. The skill fails to teach Claude anything it doesn't already know.
Suggestions
Add concrete examples of insecure deserialization patterns in common languages (Java ObjectInputStream, Python pickle, PHP unserialize) with code snippets showing vulnerable vs. safe implementations
Include a step-by-step workflow for auditing code: 1) Identify serialization entry points, 2) Check for untrusted input, 3) Validate deserialization safeguards, 4) Report findings
Provide specific detection patterns or regex/AST queries that can identify dangerous deserialization calls in codebases
Remove boilerplate sections like 'Example Triggers' and 'Capabilities' that add no instructional value
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with boilerplate that provides no actionable value. Phrases like 'provides automated assistance' and 'follows industry best practices' are vague filler that Claude doesn't need. | 1 / 3 |
Actionability | No concrete code, commands, or specific techniques for detecting insecure deserialization. The content describes what the skill does abstractly rather than providing executable guidance on how to check for deserialization vulnerabilities. | 1 / 3 |
Workflow Clarity | No workflow is defined. Claims to provide 'step-by-step guidance' but includes zero actual steps. No validation checkpoints or process for checking deserialization vulnerabilities. | 1 / 3 |
Progressive Disclosure | The content is organized into sections with clear headers, but there's no substantive content to disclose. No references to detailed materials, examples, or related documentation that would help with the actual task. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
69%Validation — 11 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 11 / 16 Passed | |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.