session-security-checker
Session Security Checker - Auto-activating skill for Security Fundamentals. Triggers on: session security checker, session security checker Part of the Security Fundamentals skill category.
32
0%
Does it follow best practices?
Impact
90%
1.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/session-security-checker/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that provides no actionable information about what the skill does or when it should be used. It repeats the skill name as its only trigger term and relies entirely on the category label 'Security Fundamentals' without describing any concrete capabilities. This would be nearly impossible for Claude to correctly select from a pool of skills.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Checks session tokens for expiration, validates cookie security flags (HttpOnly, Secure, SameSite), detects session fixation vulnerabilities.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about session security, cookie configuration, session hijacking prevention, or token management.'
Remove the duplicate trigger term and expand with varied natural language terms users might actually say, such as 'session timeout', 'cookie flags', 'session management', 'CSRF tokens'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions. It says 'Session Security Checker' but never explains what it actually does — no mention of specific checks, validations, or outputs. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is meaningfully answered. The description only states a name and category without explaining functionality or explicit usage triggers. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'session security checker' repeated twice, which is not a natural phrase users would say. Missing natural terms like 'session hijacking', 'cookie security', 'session fixation', 'token validation', etc. | 1 / 3 |
Distinctiveness Conflict Risk | The description is too vague to distinguish from other security-related skills. 'Security Fundamentals' is broad and 'session security checker' without concrete actions could overlap with many security analysis skills. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell with no substantive content. It consists entirely of boilerplate meta-descriptions about what the skill supposedly does without providing any actual session security checking guidance, code examples, vulnerability patterns, or actionable instructions. It fails on every dimension of the rubric.
Suggestions
Add concrete, executable code examples for session security checks (e.g., validating session tokens, checking for session fixation, verifying secure cookie attributes).
Define a clear workflow with specific steps: e.g., 1) Check session configuration, 2) Validate token entropy, 3) Verify cookie flags (HttpOnly, Secure, SameSite), 4) Test for session fixation vulnerabilities.
Remove all meta-description sections ('Purpose', 'When to Use', 'Example Triggers') and replace with actionable security checklists, code snippets, and specific OWASP references.
Include concrete examples of insecure vs. secure session configurations with specific language/framework code (e.g., Express.js session middleware, Flask session config).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is almost entirely filler and meta-description. It explains what the skill does in abstract terms without providing any actual security knowledge, code, or actionable content. Every section restates the same vague idea. | 1 / 3 |
Actionability | There is zero concrete guidance—no code, no commands, no specific security checks, no examples of session vulnerabilities or how to detect them. The content only describes rather than instructs. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. The skill claims to provide 'step-by-step guidance' but includes none. There are no validation checkpoints or any sequenced instructions. | 1 / 3 |
Progressive Disclosure | The content is a flat, monolithic block of vague descriptions with no references to detailed materials, no links to related files, and no structured navigation to deeper content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.