xss-vulnerability-scanner
Xss Vulnerability Scanner - Auto-activating skill for Security Fundamentals. Triggers on: xss vulnerability scanner, xss vulnerability scanner Part of the Security Fundamentals skill category.
34
3%
Does it follow best practices?
Impact
86%
1.00xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/xss-vulnerability-scanner/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak—it is essentially just the skill name restated with no substantive content. It lacks concrete actions, meaningful trigger terms, and any 'Use when...' guidance. It would be nearly indistinguishable from other security-related skills in a large skill library and provides no useful information for Claude to make selection decisions.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Scans web application code for cross-site scripting vulnerabilities, identifies unsanitized user inputs, and suggests remediation patterns.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user mentions XSS, cross-site scripting, script injection, input sanitization, web security scanning, or needs to audit HTML/JavaScript for injection vulnerabilities.'
Remove the duplicate trigger term ('xss vulnerability scanner' is listed twice) and expand with varied natural language terms users would actually use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('XSS vulnerability scanner') but provides no concrete actions. There is no mention of what the skill actually does—no verbs like 'scan', 'detect', 'analyze', 'report', or any specific capabilities. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond naming itself, and the 'when' clause is essentially just the skill name repeated. There is no explicit 'Use when...' guidance or meaningful trigger context. | 1 / 3 |
Trigger Term Quality | The only trigger term listed is 'xss vulnerability scanner' repeated twice. It misses natural variations users would say like 'XSS', 'cross-site scripting', 'script injection', 'web security scan', 'input sanitization', etc. | 1 / 3 |
Distinctiveness Conflict Risk | The mention of 'XSS vulnerability scanner' provides some specificity within the security domain, distinguishing it from general security skills. However, the lack of detail about what it does versus other security scanning skills creates potential overlap. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell with no substantive content. It consists entirely of auto-generated boilerplate that describes what the skill would do without actually providing any instructions, code, techniques, or actionable guidance for XSS vulnerability scanning. It fails on every dimension of the rubric.
Suggestions
Add concrete, executable code examples for XSS scanning (e.g., Python scripts using libraries like BeautifulSoup or custom payloads, or integration with tools like ZAP or Burp Suite).
Define a clear multi-step workflow: identify injection points → craft test payloads → send requests → analyze responses → validate findings, with explicit validation checkpoints.
Replace all boilerplate meta-descriptions ('This skill provides...', 'Capabilities include...') with actual technical content covering reflected, stored, and DOM-based XSS detection techniques.
Add specific XSS payload examples, common vulnerable patterns to look for, and safe testing practices to make the skill immediately actionable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and boilerplate. It explains nothing Claude doesn't already know, repeats 'xss vulnerability scanner' excessively, and provides zero actual technical content about XSS scanning. | 1 / 3 |
Actionability | There is no concrete guidance whatsoever—no code, no commands, no specific techniques, no tool recommendations, no examples of XSS payloads or detection patterns. Every section is vague and abstract. | 1 / 3 |
Workflow Clarity | No workflow is defined. The skill claims to provide 'step-by-step guidance' but contains zero actual steps. There are no validation checkpoints or any process description. | 1 / 3 |
Progressive Disclosure | The content is a flat, repetitive structure with no meaningful organization. There are no references to detailed materials, no links to examples or advanced content, and the sections are all meta-descriptions rather than actual content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3076d78
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.