security-baseline
Establish a security baseline for a website or web app. Use this skill when configuring HTTPS and TLS, setting security headers, planning secrets management, evaluating CSP policies, doing a basic security audit, or hardening a site before launch. Triggers on security headers, HTTPS, TLS, CSP, content security policy, HSTS, secrets management, vulnerability scan, security audit, harden, OWASP, security baseline. Also triggers when a security review is required for compliance or before going live.
67
81%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, well-crafted skill description that clearly defines its scope (web security baseline), lists concrete actions, and provides extensive trigger terms covering both acronyms and natural language variations. The explicit 'Use this skill when...' clause combined with the 'Triggers on' keyword list makes it highly effective for skill selection. The description is concise yet comprehensive, with minimal fluff.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: configuring HTTPS/TLS, setting security headers, planning secrets management, evaluating CSP policies, doing a basic security audit, and hardening a site before launch. | 3 / 3 |
Completeness | Clearly answers both 'what' (establish a security baseline for a website/web app with specific actions listed) and 'when' (explicit 'Use this skill when...' clause plus a dedicated 'Triggers on' list and additional contextual triggers). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say, including both acronyms and full forms (CSP, content security policy, HSTS, HTTPS, TLS), action-oriented terms (harden, security audit, vulnerability scan), and well-known frameworks (OWASP). Also includes contextual triggers like 'before going live' and 'compliance'. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to web security hardening and baseline configuration, with highly specific trigger terms like HSTS, CSP, OWASP, and security headers that are unlikely to conflict with general web development or other security-adjacent skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive security baseline skill with strong workflow structure and useful reference tables, but it tries to be both an overview and a deep reference in a single file. The actionability suffers from a lack of executable examples—no server config snippets, no CLI commands for verification, no automation scripts. The content would benefit from splitting detailed sections into reference files and adding concrete implementation examples.
Suggestions
Add executable examples: nginx/Apache/Caddy config snippets for setting security headers, curl commands for verifying headers, and example security.txt content.
Move the CSP deep-dive, compliance touchpoints, and failure patterns into separate reference files to keep SKILL.md as a lean overview with clear pointers.
Add a concrete verification command or script in Step 5 (e.g., `curl -I https://example.com | grep -i strict-transport`) instead of just 'verify with a scanner'.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is generally well-organized and avoids explaining basic concepts Claude already knows, but it's quite long (~250 lines) with some sections that could be tightened. The 'What CSP does' explanation, the compliance touchpoints section, and some of the 'When NOT to use' cross-references add bulk. The failure patterns section repeats guidance already covered in the layers. However, most content earns its place as a reference checklist. | 2 / 3 |
Actionability | The skill provides concrete header values in a table and example CSP directives, which is good. However, it lacks executable code or commands for implementation—no server config snippets (nginx/Apache/CDN), no curl commands for verification, no script examples for scanning or monitoring setup. The workflow steps are directional ('use a free scanner', 'make the change') rather than copy-paste ready. | 2 / 3 |
Workflow Clarity | The 8-step workflow is clearly sequenced with logical progression from scanning to documentation to scheduling reviews. Step 5 explicitly includes a validation loop (make change → test in non-prod → verify with scanner → roll out → re-verify in production). The CSP rollout has its own graduated deployment workflow with report-only mode as a validation checkpoint. The prioritization framework in Step 4 is practical and well-structured. | 3 / 3 |
Progressive Disclosure | The skill references a bundle file (references/headers-checklist.md) and cross-references other skills (incident-response, code-review-web, etc.), which is good. However, the main file is quite long and monolithic—the CSP section, compliance touchpoints, and failure patterns could each be separate reference files. The inline content is heavy for a SKILL.md that should serve as an overview. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- rampstackco/claude-skills
- Commit
8e70d03
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.