validating-cors-policies
This skill enables Claude to validate Cross-Origin Resource Sharing (CORS) policies. It uses the cors-policy-validator plugin to analyze CORS configurations and identify potential security vulnerabilities. Use this skill when the user requests to "validate CORS policy", "check CORS configuration", "analyze CORS headers", or asks about "CORS security". It helps ensure that CORS policies are correctly implemented, preventing unauthorized cross-origin requests and protecting sensitive data.
62
48%
Does it follow best practices?
Impact
83%
1.07xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-batch-20251204-000554/plugins/security/cors-policy-validator/skills/cors-policy-validator/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description with explicit trigger guidance and a clear niche. Its main weakness is that the specific capabilities could be more granular—listing concrete actions like 'check allowed origins', 'validate preflight responses', or 'audit Access-Control headers' would strengthen specificity. Overall, it performs well for skill selection purposes.
Suggestions
Add more specific concrete actions beyond 'analyze' and 'identify', such as 'check allowed origins, validate preflight responses, audit Access-Control-Allow-* headers' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (CORS policy validation) and some actions ('analyze CORS configurations', 'identify potential security vulnerabilities'), but doesn't list multiple specific concrete actions like checking specific headers, testing preflight requests, or validating allowed origins. | 2 / 3 |
Completeness | Clearly answers both 'what' (validates CORS policies, analyzes configurations, identifies security vulnerabilities) and 'when' with an explicit 'Use this skill when...' clause listing specific trigger phrases. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms: 'validate CORS policy', 'check CORS configuration', 'analyze CORS headers', 'CORS security'. These cover multiple natural phrasings a user would actually say when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | CORS policy validation is a very specific niche. The triggers are narrowly scoped to CORS-related terms, making it unlikely to conflict with general security or web development skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is essentially a marketing description rather than actionable instructions. It lacks any concrete code, commands, plugin invocation syntax, or example outputs. The content repeatedly describes what the skill does in abstract terms without ever showing Claude how to actually perform CORS validation.
Suggestions
Add concrete, executable examples showing exactly how to invoke the cors-policy-validator plugin, including the specific command or function call syntax and expected input/output formats.
Remove the 'Overview', 'When to Use This Skill', and 'Integration' sections entirely — this information is already in the frontmatter description and wastes tokens.
Provide a real example CORS configuration (e.g., a sample JSON snippet) and show the exact plugin output/report format so Claude knows what to produce.
Add validation checkpoints and error handling guidance — what should Claude do if the plugin returns errors, if the file format is wrong, or if the endpoint is unreachable?
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and padded with unnecessary context. Sections like 'Overview', 'When to Use This Skill', and 'Integration' explain things Claude already knows or repeat the frontmatter description. Phrases like 'This skill empowers Claude' and 'helping developers build more secure web applications' are filler that waste tokens. | 1 / 3 |
Actionability | There is no concrete, executable code, no specific commands, no actual plugin invocation syntax, and no example output. The examples describe what the skill 'will do' in abstract terms rather than showing how to actually invoke the cors-policy-validator plugin or what the output looks like. There's nothing copy-paste ready. | 1 / 3 |
Workflow Clarity | The steps listed are vague and abstract ('Read the file', 'Use the plugin to analyze', 'Output a report') with no validation checkpoints, no error handling, and no concrete commands. There is no feedback loop for when validation fails or when the plugin encounters issues. | 1 / 3 |
Progressive Disclosure | The content is organized into sections with headers, which provides some structure. However, there are no references to external files, no bundle files to reference, and content that could be more concise is spread across multiple sections that largely repeat the same information. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
9be4627
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.