django-security
Django 安全最佳实践、认证、授权、CSRF 防护、SQL 注入预防、XSS 预防和安全部署配置。
81
62%
Does it follow best practices?
Impact
95%
1.17xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/zh-CN/skills/django-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description does well at listing specific Django security capabilities with strong, natural trigger terms that developers would use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others. The description is concise and domain-specific, making it distinctive.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about Django security, protecting against web vulnerabilities, or configuring secure Django deployments.'
Consider adding English equivalents or file/setting references (e.g., 'settings.py security configuration', 'Django middleware security') to broaden trigger term coverage for bilingual contexts.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions/topics: authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configuration. These are clearly defined security domains. | 3 / 3 |
Completeness | Clearly answers 'what does this do' by listing specific security practices, but lacks an explicit 'Use when...' clause or equivalent trigger guidance explaining when Claude should select this skill. Per rubric guidelines, missing 'Use when' caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Contains strong natural keywords users would use: 'Django', '安全' (security), 'CSRF', 'SQL 注入' (SQL injection), 'XSS', '认证' (authentication), '授权' (authorization), '部署' (deployment). These are terms developers naturally use when seeking Django security help. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Django' + security-specific topics (CSRF, SQL injection, XSS, authentication, authorization, secure deployment) creates a clear niche that is unlikely to conflict with general Django development skills or generic security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is highly actionable with excellent, executable code examples and clear good/bad pattern contrasts for Django security. However, it is excessively verbose and monolithic — cramming ~400 lines of content covering 10+ security topics into a single file without any progressive disclosure or external references. It also lacks a coherent workflow with validation checkpoints (e.g., `manage.py check --deploy`) that would be critical for a security deployment skill.
Suggestions
Split the monolithic content into separate files (e.g., AUTHENTICATION.md, SQL_INJECTION.md, XSS.md, DEPLOYMENT.md) and make SKILL.md a concise overview with links to each topic.
Remove explanations of concepts Claude already knows (e.g., what CSRF is, how Django ORM works, what permissions are) and keep only the specific configuration values and code patterns.
Add a deployment validation workflow with explicit steps like running `python manage.py check --deploy` and verifying security headers with curl commands.
Remove the verbose AJAX CSRF cookie-fetching boilerplate and the 'When to enable' section to reduce token usage significantly.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Explains many concepts Claude already knows (what CSRF is, how Django ORM escapes parameters, what permissions are). Includes boilerplate code like the full AJAX cookie-fetching function and basic model definitions that add little unique value. The 'When to enable' section and closing motivational sentence are unnecessary padding. | 1 / 3 |
Actionability | The skill provides fully executable, copy-paste ready code examples throughout — production settings, custom user models, permission classes, file validators, middleware, DRF throttle configs, and logging setup. Good/bad patterns are clearly contrasted with comments marking VULNERABLE vs Safe code. | 3 / 3 |
Workflow Clarity | The checklist at the end provides a useful summary, and individual sections are well-organized. However, there's no sequenced workflow for implementing security (e.g., 'do this first, then validate, then deploy'). For a security skill involving production deployment, there are no validation/verification steps like running `python manage.py check --deploy` or testing configurations. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. All content — production settings, authentication, authorization, SQL injection, XSS, CSRF, file uploads, API security, CSP, environment variables, and logging — is crammed into a single file. Much of this should be split into separate reference files with the SKILL.md serving as an overview. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (594 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- affaan-m/everything-claude-code
- Commit
841beea
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.