insecure-deserialization-checker
Insecure Deserialization Checker - Auto-activating skill for Security Fundamentals. Triggers on: insecure deserialization checker, insecure deserialization checker Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
99%
0.99xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/insecure-deserialization-checker/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that repeats the skill name without explaining what it does or when it should be used. It lacks concrete actions, meaningful trigger terms, and explicit activation guidance, making it nearly useless for skill selection among multiple options.
Suggestions
Add specific capabilities such as 'Detects unsafe deserialization patterns in Python (pickle), Java (ObjectInputStream), PHP (unserialize), and other languages' to clarify what the skill does.
Add a 'Use when...' clause with natural trigger terms like 'deserialization vulnerability', 'object injection', 'unsafe unserialize', 'pickle security', or 'serialization attack'.
Remove the redundant duplicate trigger term and replace with varied, natural phrases users would actually say when needing this skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('insecure deserialization') but describes no concrete actions. There are no specific capabilities listed such as 'scans for unsafe deserialization patterns', 'detects pickle/yaml/JSON deserialization vulnerabilities', or similar. | 1 / 3 |
Completeness | The 'what' is essentially absent beyond the name, and the 'when' is only a redundant repetition of the skill name rather than explicit trigger guidance. There is no 'Use when...' clause or meaningful description of when to activate. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'insecure deserialization checker' repeated twice. It lacks natural variations users might say like 'deserialization vulnerability', 'unsafe deserialization', 'pickle exploit', 'object injection', or 'serialization security'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'insecure deserialization' is a fairly specific security topic, which provides some distinctiveness. However, the vague description and mention of 'Security Fundamentals' category could cause overlap with other security-related skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty placeholder that provides no actual guidance on insecure deserialization detection or remediation. It contains only meta-descriptions of what the skill claims to do without any concrete instructions, code, examples, or security-specific content. It fails on every dimension of the rubric.
Suggestions
Add concrete code examples showing how to detect insecure deserialization vulnerabilities in common languages (e.g., Java ObjectInputStream, Python pickle, PHP unserialize) with specific patterns to look for.
Define a clear workflow: 1) Identify deserialization entry points, 2) Check for unsafe deserializers, 3) Validate with specific tools/commands, 4) Apply remediation patterns—with explicit validation checkpoints.
Replace the generic 'Capabilities' and 'Example Triggers' sections with actionable content such as a checklist of dangerous deserialization patterns, safe alternatives, and OWASP-aligned remediation guidance.
Include specific, executable scanning commands or code snippets (e.g., grep patterns for finding unsafe deserialization calls, or tool invocations like semgrep rules) that Claude can directly use.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic filler ('Provides step-by-step guidance', 'Follows industry best practices') without any actual substance. It explains meta-information about the skill rather than providing actionable security knowledge. Every section restates the skill name without adding value. | 1 / 3 |
Actionability | There is zero concrete guidance on insecure deserialization—no code examples, no specific vulnerability patterns, no detection commands, no remediation steps. The content describes rather than instructs, offering only vague promises of capability. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. For a security checker skill, there should be clear steps for identifying deserialization vulnerabilities, validating findings, and applying fixes. None of this is present. | 1 / 3 |
Progressive Disclosure | The content is a flat, monolithic placeholder with no meaningful structure. There are no references to supporting files, no layered content organization, and no navigation to deeper material. The sections that exist are superficial headers over empty content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.