session-security-checker
Session Security Checker - Auto-activating skill for Security Fundamentals. Triggers on: session security checker, session security checker Part of the Security Fundamentals skill category.
32
0%
Does it follow best practices?
Impact
90%
1.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/session-security-checker/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder with no substantive content. It repeats the skill name as its own trigger term, provides no concrete actions or capabilities, and lacks any explicit guidance on when Claude should select this skill. It would be nearly impossible for Claude to correctly choose this skill from a pool of available skills.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Validates session token configuration, checks for session fixation vulnerabilities, audits cookie security settings, and verifies session timeout policies.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about session security, session hijacking, cookie flags (HttpOnly, Secure, SameSite), session expiration, or session management best practices.'
Remove the redundant duplicate trigger term and replace with diverse, natural keywords users would actually say, such as 'session tokens', 'session fixation', 'cookie security', 'session timeout', 'CSRF', 'session management'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions. 'Session Security Checker' is a name, not a description of what it does. There are no specific capabilities listed like 'validates session tokens', 'checks for session fixation vulnerabilities', etc. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is answered. The description only states the skill name, a redundant trigger, and a category label. There is no 'Use when...' clause or equivalent. | 1 / 3 |
Trigger Term Quality | The trigger terms are just the skill name repeated twice ('session security checker, session security checker'). No natural user keywords like 'session hijacking', 'cookie security', 'session timeout', 'token validation', or other terms a user would naturally use. | 1 / 3 |
Distinctiveness Conflict Risk | The description is extremely generic — 'Security Fundamentals' and 'Session Security Checker' could overlap with any security-related skill. Without specific actions or triggers, it would be indistinguishable from other security skills. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a template placeholder with no substantive content. It contains no actual session security checking guidance, no code, no commands, no concrete examples, and no workflow. It fails on every dimension because it describes what a skill would do rather than actually providing the skill.
Suggestions
Add concrete, executable code examples for session security checks (e.g., validating session tokens, checking session expiration, detecting session fixation vulnerabilities).
Define a clear multi-step workflow for auditing session security, including validation checkpoints (e.g., 1. Check session configuration → 2. Validate token entropy → 3. Test for fixation → 4. Verify timeout settings).
Replace all meta-descriptions ('Provides step-by-step guidance', 'Follows industry best practices') with actual guidance—specific OWASP session management recommendations, concrete secure/insecure code comparisons, and copy-paste-ready configuration snippets.
If the topic is broad, create a concise overview in SKILL.md and reference separate files for subtopics like session fixation, token management, and cookie security settings.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is almost entirely filler and meta-description. It explains what the skill does in abstract terms without providing any actual security knowledge, code, or commands. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are empty padding. | 1 / 3 |
Actionability | There is zero concrete, executable guidance. No code examples, no specific commands, no actual session security checks, no validation steps. The entire content describes rather than instructs—it's a placeholder, not a skill. | 1 / 3 |
Workflow Clarity | No workflow is defined at all. There are no steps, no sequence, no validation checkpoints. For a security-related skill involving session checking, the complete absence of any procedural guidance is a critical gap. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of vague descriptions with no references to supporting files, no structured navigation, and no separation of overview from detail. There are no bundle files to reference either, but the content itself doesn't even organize its (nonexistent) substance. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.