CtrlK
BlogDocsLog inGet started
Tessl Logo

security-baseline

Establish a security baseline for a website or web app. Use this skill when configuring HTTPS and TLS, setting security headers, planning secrets management, evaluating CSP policies, doing a basic security audit, or hardening a site before launch. Triggers on security headers, HTTPS, TLS, CSP, content security policy, HSTS, secrets management, vulnerability scan, security audit, harden, OWASP, security baseline. Also triggers when a security review is required for compliance or before going live.

74

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

85%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured, highly actionable security-baseline guide with concrete header values, a sequenced workflow containing validation checkpoints, and a properly signaled one-level reference file. Its main weakness is mild verbosity from explaining known concepts and some duplication with the reference checklist.

Suggestions

Trim explanations of concepts Claude already knows (e.g., the 'What CSP does' paragraph and the one-line 'How data moves...' glosses) to tighten conciseness.

Reduce duplication between the inline Layer 2 header table / CSP section and references/headers-checklist.md by keeping only a compact overview inline and deferring full values to the reference.

Consider offloading the 'Failure patterns' and 'Common compliance touchpoints' sections to a reference file so SKILL.md reads more as an overview pointing to detailed materials.

DimensionReasoningScore

Conciseness

Mostly efficient with concrete bullet values, but includes explanations of concepts Claude already knows ('CSP tells the browser which sources are allowed', 'How data moves from server to client') and some duplication between the inline header/CSP material and the reference checklist; not 3 because not every token earns its place, not 1 because the bulk is actionable rather than padded prose.

2 / 3

Actionability

Provides concrete, copy-paste-ready guidance: exact header values ('max-age=31536000; includeSubDomains'), full strict-CSP header strings, named scanners (securityheaders.com, observatory.mozilla.org), and an explicit 8-step workflow; matches the fully-executable/copy-paste-ready anchor.

3 / 3

Workflow Clarity

The 8-step Workflow is clearly sequenced with explicit validation checkpoints ('Test in a non-production environment', 'Verify with a scanner', 'Re-verify in production') and the CSP rollout gives a Report-Only→enforce feedback loop, matching the clear-sequence-with-validation anchor.

3 / 3

Progressive Disclosure

Well-organized sections with a single clearly-signaled, one-level-deep reference ('references/headers-checklist.md', verified to exist) holding the detailed tiered checklist; the inline body serves as the framework overview while detail lives in the reference, matching the clear-overview-with-one-level-deep-references anchor.

3 / 3

Total

11

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that clearly states capabilities, provides extensive natural trigger terms, answers both what and when, and occupies a distinct niche. The explicit 'Use when'/'Triggers on' structure matches the top anchor on every dimension.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'configuring HTTPS and TLS, setting security headers, planning secrets management, evaluating CSP policies, doing a basic security audit, or hardening a site before launch' — matching the multiple-specific-actions anchor; not the level below because it is comprehensive rather than naming only a domain and some actions.

3 / 3

Completeness

Explicitly states what ('Establish a security baseline for a website or web app' plus the action list) and when ('Use this skill when...', 'Triggers on...', 'Also triggers when...'), matching the both-what-and-when-with-explicit-triggers anchor.

3 / 3

Trigger Term Quality

The 'Triggers on security headers, HTTPS, TLS, CSP, content security policy, HSTS, secrets management, vulnerability scan, security audit, harden, OWASP, security baseline' list gives broad coverage of natural terms users would say; not 2 because it covers common variations rather than just a few keywords.

3 / 3

Distinctiveness Conflict Risk

Carves a clear web-security-baseline niche with distinct triggers (HSTS, CSP, security baseline, OWASP) that are unlikely to fire for unrelated skills; not 2 because the triggers are specific rather than merely 'somewhat specific'.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
rampstackco/claude-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.