jbvc/springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
68
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
54%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively identifies its niche domain (Spring Security for Java Spring Boot) and includes strong trigger terms that developers would naturally use. However, it lacks concrete action verbs describing what the skill actually does and critically omits any 'Use when...' guidance, making it harder for Claude to know when to select this skill over others.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about securing Spring Boot applications, configuring authentication/authorization, preventing CSRF attacks, or reviewing security configurations.'
Replace 'best practices' with specific actions like 'Reviews and configures authentication flows, implements CSRF protection, audits dependency vulnerabilities, and enforces security headers in Java Spring Boot services.'
Consider adding file type or pattern triggers like 'SecurityConfig.java', 'application.yml security settings', or 'pom.xml dependency audit' to help with skill selection.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Spring Security) and lists several topic areas (authn/authz, validation, CSRF, secrets, headers, rate limiting, dependency security), but these are categories rather than concrete actions. It says 'best practices' but doesn't specify what actions it performs (e.g., 'configures CSRF protection', 'reviews authentication flows'). | 2 / 3 |
Completeness | The description answers 'what' at a high level (best practices for various security topics) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also somewhat weak (topics listed, not actions), so this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Spring Security', 'authn/authz', 'CSRF', 'rate limiting', 'secrets', 'headers', 'Java Spring Boot', 'dependency security', 'validation'. These cover a good range of terms a developer would naturally use when seeking security guidance. | 3 / 3 |
Distinctiveness Conflict Risk | The description is clearly scoped to Spring Security in Java Spring Boot services, which is a distinct niche. The combination of specific security topics (CSRF, authn/authz, rate limiting) with the Spring Boot framework makes it unlikely to conflict with other skills. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security reference with excellent concrete code examples covering the major Spring Security concerns. Its main weaknesses are its monolithic structure (no progressive disclosure to separate files for this breadth of topics) and the lack of sequenced workflows with validation checkpoints for implementing security configurations. Some minor verbosity exists in explaining concepts Claude already understands.
Suggestions
Split detailed code examples (Rate Limiting, CORS, JWT filter) into separate reference files and link from SKILL.md to reduce monolithic size and improve progressive disclosure.
Add a sequenced implementation workflow (e.g., '1. Configure SecurityFilterChain → 2. Add auth filter → 3. Test with curl → 4. Verify 401 on unauthed request') with explicit validation checkpoints.
Remove explanations of concepts Claude already knows (e.g., 'never store plaintext', what SQL injection is) and keep only the Spring-specific guidance and code patterns.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly efficient with good use of code examples and bullet points, but some sections explain things Claude already knows (e.g., 'never store plaintext' passwords, basic SQL injection concepts). The BAD/GOOD pattern adds value but also adds length. Some sections like 'Dependency Security', 'Logging and PII', and 'File Uploads' are too terse to be useful yet still consume tokens. | 2 / 3 |
Actionability | Nearly every section includes fully executable, copy-paste-ready Java code examples with concrete annotations, configurations, and patterns. The BAD/GOOD comparisons make the correct approach unambiguous. Code covers filters, controllers, DTOs, beans, YAML config, and CORS setup — all directly usable. | 3 / 3 |
Workflow Clarity | The checklist at the end provides a good release verification workflow, and the 'When to Activate' section is clear. However, there's no sequenced multi-step workflow for implementing security (e.g., order of configuring SecurityFilterChain, adding filters, testing). The checklist lacks validation steps or feedback loops — it's a static list without 'if X fails, do Y' guidance. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear section headers, but it's a monolithic document (~200 lines) with no references to external files for deeper topics. Sections like Rate Limiting, CORS, and Authentication could benefit from linking to detailed guides. For a skill this broad, some content should be split out. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Reviewed
Table of Contents