Name: jbaruch/spring-security-ai
Rating: 90.4 (1 reviews)
Author: jbaruch

Blog Docs Log in Get started

jbaruch/spring-security-ai

Secure AI agent APIs with Spring Security 7 - RBAC, method security, OAuth2, and per-user agent access control

1.24x

Quality

90%

Does it follow best practices?

Impact

92%

1.24x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong, highly actionable skill with excellent workflow clarity including validation checkpoints at each step. The code examples are complete and executable, covering the full spectrum from SecurityFilterChain to per-user ChatClient wiring. The main weakness is that the content is somewhat long for a single SKILL.md—some sections like JWT configuration and user management could be split into referenced files for better progressive disclosure.

Suggestions

Consider moving the JWT/OAuth2 Resource Server section and UserDetails/User Management section into separate referenced files (e.g., JWT.md, USER_MANAGEMENT.md) to keep SKILL.md as a concise overview

The breaking changes list could be trimmed to just the 2-3 most impactful items with a pointer to MIGRATION.md for the full list, since it's already referenced

Dimension	Reasoning	Score
Conciseness	The content is mostly efficient with good code examples, but includes some sections that could be tightened—e.g., the UserDetails in-memory section is somewhat verbose for what Claude already knows, and the breaking changes list is lengthy. However, most content earns its place given the complexity of the topic.	2 / 3
Actionability	Fully executable Java code examples throughout—SecurityFilterChain, tool annotations with @PreAuthorize, JWT configuration, ChatController wiring, role hierarchy beans, and meta-annotations. All code is copy-paste ready with realistic patterns.	3 / 3
Workflow Clarity	The Quick-Start Workflow section provides a clear 6-step sequence with explicit checkpoints after each step (e.g., 'app starts, all endpoints return 401', 'can authenticate', 'role-restricted paths enforce access'). This is an excellent validation-driven workflow for a multi-step security configuration.	3 / 3
Progressive Disclosure	There is one reference to MIGRATION.md for breaking changes, which is good. However, the skill is quite long (~200 lines of substantive content) and could benefit from splitting the JWT/OAuth2 configuration and UserDetails sections into separate reference files, keeping SKILL.md as a leaner overview.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly defines a specific niche at the intersection of Spring Security 7 and Spring AI agents. It provides concrete actions, explicit trigger guidance with a 'Use when...' clause, and includes natural keywords developers would use. The description is concise yet comprehensive, making it easy for Claude to select appropriately.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: implementing RBAC for AI agents, per-user tool access, OAuth2 authentication, method-level security on tool methods, and securing ChatClient endpoints.	3 / 3
Completeness	Clearly answers both what ('Secure Spring AI agent endpoints with Spring Security 7') and when ('Use when implementing RBAC for AI agents, per-user tool access, OAuth2 authentication, method-level security on tool methods, or securing ChatClient endpoints').	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'Spring Security', 'RBAC', 'OAuth2', 'tool access', 'ChatClient endpoints', 'Spring AI agent'. These cover the domain well and match how developers would phrase requests.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche combining Spring Security 7 specifically with Spring AI agents. The intersection of AI agent security, RBAC, and Spring-specific tooling makes it very unlikely to conflict with generic security or generic AI skills.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Reviewed

2 months ago

Table of Contents

Discovery Implementation Validation