jbaruch/spring-security-ai
Secure AI agent APIs with Spring Security 7 - RBAC, method security, OAuth2, and per-user agent access control
90
90%
Does it follow best practices?
Impact
92%
1.24xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines a specific niche at the intersection of Spring Security 7 and Spring AI agents. It provides concrete actions, explicit trigger guidance with a 'Use when...' clause, and includes natural keywords developers would use. The description is concise yet comprehensive, making it easy for Claude to select appropriately.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: implementing RBAC for AI agents, per-user tool access, OAuth2 authentication, method-level security on tool methods, and securing ChatClient endpoints. | 3 / 3 |
Completeness | Clearly answers both what ('Secure Spring AI agent endpoints with Spring Security 7') and when ('Use when implementing RBAC for AI agents, per-user tool access, OAuth2 authentication, method-level security on tool methods, or securing ChatClient endpoints'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Spring Security', 'RBAC', 'OAuth2', 'tool access', 'ChatClient endpoints', 'Spring AI agent'. These cover the domain well and match how developers would phrase requests. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Spring Security 7 specifically with Spring AI agents. The intersection of AI agent security, RBAC, and Spring-specific tooling makes it very unlikely to conflict with generic security or generic AI skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill with excellent workflow clarity including validation checkpoints at each step. The code examples are complete and executable, covering the full spectrum from SecurityFilterChain to per-user ChatClient wiring. The main weakness is that the content is somewhat long for a single SKILL.md—some sections like JWT configuration and user management could be split into referenced files for better progressive disclosure.
Suggestions
Consider moving the JWT/OAuth2 Resource Server section and UserDetails/User Management section into separate referenced files (e.g., JWT.md, USER_MANAGEMENT.md) to keep SKILL.md as a concise overview
The breaking changes list could be trimmed to just the 2-3 most impactful items with a pointer to MIGRATION.md for the full list, since it's already referenced
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient with good code examples, but includes some sections that could be tightened—e.g., the UserDetails in-memory section is somewhat verbose for what Claude already knows, and the breaking changes list is lengthy. However, most content earns its place given the complexity of the topic. | 2 / 3 |
Actionability | Fully executable Java code examples throughout—SecurityFilterChain, tool annotations with @PreAuthorize, JWT configuration, ChatController wiring, role hierarchy beans, and meta-annotations. All code is copy-paste ready with realistic patterns. | 3 / 3 |
Workflow Clarity | The Quick-Start Workflow section provides a clear 6-step sequence with explicit checkpoints after each step (e.g., 'app starts, all endpoints return 401', 'can authenticate', 'role-restricted paths enforce access'). This is an excellent validation-driven workflow for a multi-step security configuration. | 3 / 3 |
Progressive Disclosure | There is one reference to MIGRATION.md for breaking changes, which is good. However, the skill is quite long (~200 lines of substantive content) and could benefit from splitting the JWT/OAuth2 configuration and UserDetails sections into separate reference files, keeping SKILL.md as a leaner overview. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Reviewed
Table of Contents