scanning-for-xss-vulnerabilities
This skill enables Claude to automatically scan for XSS (Cross-Site Scripting) vulnerabilities in code. It is triggered when the user requests to "scan for XSS vulnerabilities", "check for XSS", or uses the command "/xss". The skill identifies reflected, stored, and DOM-based XSS vulnerabilities. It analyzes HTML, JavaScript, CSS, and URL contexts to detect potential exploits and suggests safe proof-of-concept payloads. This skill is best used during code review, security audits, and before deploying web applications to production.
63
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/xss-vulnerability-scanner/skills/xss-vulnerability-scanner/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose, lists concrete capabilities, and provides explicit trigger conditions. It covers the what, when, and how comprehensively while maintaining a distinct niche in XSS vulnerability scanning. Minor note: it uses 'This skill enables Claude to' which is slightly indirect but still acceptable third-person voice.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: scanning for XSS vulnerabilities, identifying reflected/stored/DOM-based XSS, analyzing HTML/JavaScript/CSS/URL contexts, detecting exploits, and suggesting safe proof-of-concept payloads. | 3 / 3 |
Completeness | Clearly answers both 'what' (scans for XSS vulnerabilities, identifies reflected/stored/DOM-based XSS, analyzes contexts, suggests payloads) and 'when' (triggered by specific phrases, used during code review, security audits, and before deploying web applications). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'scan for XSS vulnerabilities', 'check for XSS', '/xss', 'code review', 'security audits', 'XSS', 'Cross-Site Scripting'. Good coverage of how users would naturally phrase requests. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche focused specifically on XSS vulnerability scanning. The specific vulnerability type (XSS), subtypes (reflected, stored, DOM-based), and explicit trigger commands ('/xss') make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a marketing description or README rather than actionable instructions for Claude. It explains concepts Claude already knows, describes intended behavior abstractly without providing concrete detection patterns, code examples, payloads, or analysis steps. The content lacks any executable guidance that would enable Claude to actually perform XSS vulnerability scanning.
Suggestions
Replace the abstract 'How It Works' section with a concrete step-by-step workflow: e.g., 1) identify user input sinks, 2) trace data flow to output points, 3) check for encoding/sanitization at each output context, with specific code patterns to look for.
Add concrete code examples showing vulnerable patterns and their fixes for each XSS type (reflected, stored, DOM-based), with actual code snippets in common frameworks.
Include specific detection heuristics: e.g., list dangerous JavaScript sinks (innerHTML, document.write, eval), dangerous template patterns ({{!! in Blade, |safe in Jinja2), and context-specific encoding requirements.
Remove the 'Best Practices', 'When to Use', and 'Integration' sections—these explain things Claude already knows and consume tokens without adding actionable value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and padded with information Claude already knows—explaining what XSS is, when to use security audits, generic best practices like 'sanitize user input,' and how CSP works. The 'How It Works' section describes Claude's own behavior back to it. Nearly every section contains filler that doesn't add actionable knowledge. | 1 / 3 |
Actionability | There is no concrete code, no executable examples, no specific detection patterns, no actual payloads, no code snippets showing what vulnerable code looks like or how to fix it. The examples describe what the skill 'will do' in abstract terms rather than providing concrete guidance Claude can follow. | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists abstract steps like 'analyzes the codebase' and 'injecting various payloads' without any concrete sequence, validation checkpoints, or error handling. There is no actual workflow Claude can follow—just a description of intended behavior with no specifics on how to perform the analysis. | 1 / 3 |
Progressive Disclosure | The content is organized into clear sections with headers, which provides some structure. However, there are no references to external files, and content that could benefit from deeper treatment (e.g., payload lists, context-specific detection rules, remediation patterns) is either absent or inlined as vague descriptions. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.