insecure-deserialization-checker
Insecure Deserialization Checker - Auto-activating skill for Security Fundamentals. Triggers on: insecure deserialization checker, insecure deserialization checker Part of the Security Fundamentals skill category.
36
Quality
3%
Does it follow best practices?
Impact
99%
0.99xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/insecure-deserialization-checker/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is severely underdeveloped, functioning more as a label than a functional skill description. It lacks any explanation of what the skill actually does, provides no natural trigger terms users would say, and offers no guidance on when Claude should select it. The repeated trigger term and category boilerplate add no value.
Suggestions
Add specific actions the skill performs, e.g., 'Detects insecure deserialization vulnerabilities in Java, Python, and PHP code by analyzing object serialization patterns and identifying unsafe deserialize() calls.'
Include a 'Use when...' clause with natural trigger terms like 'Use when reviewing code for security vulnerabilities, checking for unsafe object parsing, or when the user mentions pickle, ObjectInputStream, unserialize, or YAML.load.'
Remove the redundant duplicate trigger term and replace with varied natural language users might actually use when needing this skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions - it only names itself ('Insecure Deserialization Checker') without explaining what it actually does. There are no verbs describing capabilities like 'detects', 'analyzes', or 'scans'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' (no actions described) and 'when should Claude use it' (no explicit use cases or scenarios). It only states category membership without functional guidance. | 1 / 3 |
Trigger Term Quality | The trigger terms are redundant (same phrase repeated twice) and overly technical. Users are unlikely to say 'insecure deserialization checker' naturally; they might say 'check for deserialization vulnerabilities', 'security scan', or 'find unsafe object parsing'. | 1 / 3 |
Distinctiveness Conflict Risk | The specific mention of 'insecure deserialization' provides some distinctiveness within security skills, but the lack of concrete scope (which languages, frameworks, or file types) could cause overlap with other security scanning skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a placeholder template with no actual content about insecure deserialization detection. It contains only meta-descriptions of what a skill should do without any concrete guidance on identifying serialization vulnerabilities, dangerous functions to watch for (pickle, yaml.load, unserialize), or remediation patterns. The content would be completely unhelpful for the stated purpose.
Suggestions
Add concrete examples of insecure deserialization patterns in common languages (Python pickle, PHP unserialize, Java ObjectInputStream) with vulnerable vs. safe code snippets
Include a detection workflow: what to grep for, what patterns indicate risk, how to validate findings
Provide specific remediation guidance: safe alternatives, allowlist approaches, input validation techniques
Reference OWASP deserialization cheat sheet or include key detection signatures inline
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with boilerplate that provides no actionable value. Phrases like 'provides automated assistance' and 'follows industry best practices' are vague filler that Claude doesn't need. | 1 / 3 |
Actionability | No concrete code, commands, or specific techniques for detecting insecure deserialization. The skill describes what it does rather than instructing how to do it - completely abstract with zero executable guidance. | 1 / 3 |
Workflow Clarity | No workflow is defined. Claims to provide 'step-by-step guidance' but includes no actual steps. For a security checker skill, there should be clear detection patterns, validation steps, or remediation workflows. | 1 / 3 |
Progressive Disclosure | No structure beyond generic headings. No references to detailed materials, no examples of vulnerable code patterns, no links to OWASP resources or detection techniques that would be expected for this topic. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
994edc4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.