jbvc/django-security
Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.
71
71%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and trigger terms, listing concrete Django security topics that developers would naturally search for. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others. Adding trigger guidance would elevate this from a good description to an excellent one.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about securing a Django application, hardening Django settings, or preventing common web vulnerabilities in Django projects.'
Consider adding file/setting references users might mention, such as 'settings.py security settings', 'Django middleware configuration', or 'ALLOWED_HOSTS' to improve trigger matching.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions/topics: authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations. These are clearly defined security domains. | 3 / 3 |
Completeness | Clearly answers 'what does this do' by listing security topics, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied by the topic listing, which caps this at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Django security', 'authentication', 'authorization', 'CSRF', 'SQL injection', 'XSS', 'secure deployment'. These are terms developers naturally use when seeking help with Django security. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Django' with specific security concerns (CSRF, SQL injection, XSS) creates a clear niche. This is unlikely to conflict with general Django skills or general security skills due to the specific intersection of both domains. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides comprehensive, actionable Django security code examples that are copy-paste ready, which is its primary strength. However, it is excessively verbose for a skill file — much of this is standard Django documentation that Claude already knows. The monolithic structure with no progressive disclosure and lack of a sequenced workflow with validation checkpoints significantly reduce its effectiveness as a skill.
Suggestions
Reduce content to only non-obvious configurations and patterns — remove standard Django defaults like password validators, basic ORM usage, and the AJAX CSRF cookie function that are well-documented elsewhere.
Split into a concise SKILL.md overview with links to sub-files (e.g., AUTHENTICATION.md, CSRF.md, API_SECURITY.md) for progressive disclosure.
Add a deployment security workflow with explicit validation: e.g., '1. Configure settings 2. Run `python manage.py check --deploy` 3. Fix any warnings 4. Verify headers with curl'.
Remove explanatory comments that state the obvious (e.g., '# CRITICAL: Never use True in production' next to `DEBUG = False`) and the closing platitude.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Explains many concepts Claude already knows (what CSRF is, how Django ORM escaping works, basic permission patterns). Includes boilerplate code like the full AJAX cookie-fetching function and standard password validators that are well-documented Django defaults. The closing platitude 'Security is a process, not a product' is unnecessary filler. | 1 / 3 |
Actionability | Provides fully executable, copy-paste ready code examples throughout — production settings, custom user models, permission classes, file validators, rate limiting configs, middleware, and logging setup. Code is concrete and specific with clear GOOD/BAD annotations. | 3 / 3 |
Workflow Clarity | The checklist at the end provides a useful summary, but there's no clear sequenced workflow for securing a Django application. No validation steps (e.g., 'run `python manage.py check --deploy` to verify settings'). The content reads as a reference catalog rather than a guided process with checkpoints. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. All topics — authentication, authorization, CSRF, XSS, SQL injection, file uploads, API security, CSP, environment variables, logging — are inlined in a single massive document. This would benefit enormously from splitting into focused sub-files with a concise overview linking to them. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (593 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents