path-traversal-finder
Path Traversal Finder - Auto-activating skill for Security Fundamentals. Triggers on: path traversal finder, path traversal finder Part of the Security Fundamentals skill category.
36
3%
Does it follow best practices?
Impact
98%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/path-traversal-finder/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak—it is essentially a self-referential label rather than a functional description. It fails to explain what the skill does, provides no meaningful trigger terms beyond its own name, and lacks any 'Use when...' guidance. The only slight positive is that 'path traversal' is a reasonably specific security domain.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Detects path traversal vulnerabilities in code by identifying unsanitized file path inputs, directory traversal patterns (../), and insecure file access operations.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about directory traversal, ../ attacks, local file inclusion (LFI), file path manipulation, or insecure file access in their code.'
Remove the redundant repeated trigger term and replace with diverse natural language variations users would actually use, such as 'directory traversal', 'LFI', 'dot-dot-slash', 'file path vulnerability'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('path traversal') but does not describe any concrete actions. There is no mention of what the skill actually does—no verbs like 'detect', 'scan', 'analyze', or 'report'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond naming itself, and the 'when' clause is essentially just the skill's own name repeated. There is no explicit 'Use when...' guidance with meaningful triggers. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'path traversal finder' repeated twice. It misses natural variations users would say such as 'directory traversal', '../', 'file inclusion vulnerability', 'LFI', or 'path manipulation'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'path traversal' is fairly specific to a particular vulnerability type, which provides some distinctiveness. However, the lack of concrete actions means it could overlap with other security scanning or vulnerability detection skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell with no substantive content. It consists entirely of generic boilerplate that could apply to any topic—there is nothing specific to path traversal detection, no code examples, no patterns to match against, no sanitization techniques, and no workflow. It provides zero value beyond what the skill's title alone conveys.
Suggestions
Add concrete, executable code examples showing how to detect path traversal patterns (e.g., regex patterns for '../', '%2e%2e/', URL-encoded variants, and null byte injection)
Include a clear workflow: 1) Identify user-controlled file path inputs, 2) Check for traversal patterns, 3) Validate/sanitize paths, 4) Verify the resolved path stays within the allowed directory
Provide specific examples of vulnerable code vs. secure code in at least one language (e.g., Python os.path.realpath() validation pattern)
Remove all generic boilerplate sections ('When to Use', 'Example Triggers', 'Capabilities') and replace with actionable security guidance and detection techniques
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic filler text that tells Claude nothing it doesn't already know. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are vacuous. The entire body contains zero actionable information about path traversal detection. | 1 / 3 |
Actionability | There is no concrete guidance whatsoever—no code, no commands, no examples of path traversal patterns, no detection techniques, no regex patterns, no file path sanitization approaches. It describes rather than instructs. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. The skill claims to provide 'step-by-step guidance' but contains none. For a security-related task involving vulnerability detection, the complete absence of any procedure is a critical gap. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of generic boilerplate with no references to detailed materials, no links to examples, and no structured navigation. There is nothing to progressively disclose because there is no substantive content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.