angular-security
Harden Angular apps against XSS, CSP violations, and unauthorized access. Use when implementing XSS protection, Content Security Policy, or auth guards in Angular. (triggers: DomSanitizer, innerHTML, bypassSecurityTrust, CSP, angular security, route guard)
83
78%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/angular/angular-security/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that concisely covers specific capabilities, provides explicit 'Use when' guidance, and includes a comprehensive set of trigger terms spanning both conceptual and API-level keywords. It uses proper third-person voice and is clearly distinguishable from both general security skills and general Angular development skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: hardening against XSS, CSP violations, and unauthorized access. Also mentions specific implementations like XSS protection, Content Security Policy, and auth guards. | 3 / 3 |
Completeness | Clearly answers both 'what' (harden Angular apps against XSS, CSP violations, unauthorized access) and 'when' (explicit 'Use when' clause with specific triggers for XSS protection, CSP, and auth guards, plus a parenthetical list of trigger terms). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including both high-level concepts ('angular security', 'XSS protection', 'Content Security Policy', 'auth guards') and specific API-level terms ('DomSanitizer', 'innerHTML', 'bypassSecurityTrust', 'CSP', 'route guard') that users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Angular-specific security. The combination of Angular framework + security domain + specific trigger terms like 'DomSanitizer' and 'bypassSecurityTrust' makes it very unlikely to conflict with general security skills or general Angular skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a solid security checklist for Angular applications with appropriate references to deeper content. Its main weaknesses are the lack of executable code examples (e.g., a route guard implementation, a DomSanitizer usage snippet) and redundancy between the Principles and Anti-Patterns sections. Adding concrete code blocks and consolidating repeated guidance would significantly improve both actionability and conciseness.
Suggestions
Add executable code examples for key patterns: a functional route guard with CanActivateFn, DomSanitizer.sanitize usage, and an HTTP interceptor attaching tokens from HttpOnly cookies.
Merge the Anti-Patterns section into the existing Principles/Guidelines sections as inline warnings to eliminate redundancy (bypassSecurityTrust, localStorage, secrets are each stated twice).
Add a validation/audit workflow: e.g., 'Search codebase for bypassSecurityTrust* → verify each call uses only trusted static content → flag any user-input paths as P0 vulnerabilities.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient but has some redundancy — the Anti-Patterns section largely repeats what was already stated in Principles and Guidelines (e.g., bypassSecurityTrust warnings, localStorage for tokens, secrets in source are all mentioned twice). | 2 / 3 |
Actionability | Provides specific function names and patterns (DomSanitizer.sanitize, CanActivateFn, inject(Router).createUrlTree) but lacks executable code examples. Inline code snippets like the route guard setup or a sanitization example would make this copy-paste ready rather than requiring Claude to assemble the pieces. | 2 / 3 |
Workflow Clarity | The skill covers multiple security concerns but presents them as flat lists of principles rather than sequenced workflows. There are no validation checkpoints — for example, no guidance on how to audit bypassSecurityTrust calls or verify CSP headers are correctly configured. | 2 / 3 |
Progressive Disclosure | The skill is a concise overview with clear references to deeper content (references/security-best-practices.md and common/security-standards). Content is well-organized into logical sections (Principles, Guidelines, Anti-Patterns) with one-level-deep references. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- HoangNguyen0403/agent-skills-standard
- Commit
19a1140
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.