xss-vulnerability-scanner
Xss Vulnerability Scanner - Auto-activating skill for Security Fundamentals. Triggers on: xss vulnerability scanner, xss vulnerability scanner Part of the Security Fundamentals skill category.
34
Quality
3%
Does it follow best practices?
Impact
86%
1.00xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/xss-vulnerability-scanner/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is severely underdeveloped, functioning more as a placeholder than a useful skill description. It lacks any concrete actions, meaningful trigger terms, or guidance on when to use the skill. The redundant trigger term and boilerplate category reference provide no value for skill selection.
Suggestions
Add specific capabilities: 'Scans web applications for reflected, stored, and DOM-based XSS vulnerabilities. Analyzes input fields, URL parameters, and JavaScript code for injection points.'
Add a proper 'Use when...' clause: 'Use when the user mentions XSS, cross-site scripting, script injection, web application security testing, or needs to check HTML/JavaScript for vulnerabilities.'
Include natural trigger term variations: 'XSS', 'cross-site scripting', 'script injection', 'web security', 'injection vulnerability', 'sanitize input'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description only names the tool ('Xss Vulnerability Scanner') without describing any concrete actions. There are no specific capabilities listed like 'scans input fields', 'detects reflected/stored XSS', or 'generates reports'. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name, and provides no 'when should Claude use it' guidance. The 'Triggers on' field is not a proper 'Use when...' clause and just repeats the skill name. | 1 / 3 |
Trigger Term Quality | The trigger terms are redundant ('xss vulnerability scanner' listed twice) and overly specific. Missing natural variations users would say like 'XSS', 'cross-site scripting', 'script injection', 'web security scan', or 'check for XSS'. | 1 / 3 |
Distinctiveness Conflict Risk | The XSS focus provides some specificity within security tools, but 'Security Fundamentals' category is vague. Could potentially conflict with other security scanning or vulnerability assessment skills without clearer boundaries. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is entirely generic boilerplate with no actual XSS vulnerability scanning guidance. It lacks any concrete code, scanning techniques, payload examples, tool recommendations, or workflow for identifying and validating XSS vulnerabilities. The content could apply to virtually any topic by replacing 'xss vulnerability scanner' with any other phrase.
Suggestions
Add concrete code examples for XSS detection, such as payload injection tests, DOM inspection scripts, or integration with tools like OWASP ZAP or Burp Suite
Define a clear workflow: 1) Identify input vectors, 2) Test with specific payloads, 3) Validate findings, 4) Document vulnerabilities with severity ratings
Include specific XSS payload examples (reflected, stored, DOM-based) and how to safely test them
Remove generic boilerplate sections ('Capabilities', 'Example Triggers') and replace with actionable scanning procedures and validation steps
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing specific about XSS vulnerability scanning. Phrases like 'provides automated assistance' and 'follows industry best practices' are filler that Claude already understands. | 1 / 3 |
Actionability | No concrete code, commands, or specific techniques for XSS scanning are provided. The content describes what the skill does abstractly but gives zero executable guidance on how to actually scan for XSS vulnerabilities. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. For a security scanning task that involves multiple steps (identifying injection points, testing payloads, validating findings), there is no sequence or validation checkpoints provided. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of generic text with no references to detailed materials, examples, or supporting documentation. No structure for navigating to more detailed XSS scanning techniques or tools. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
994edc4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.