django-security
Django 安全最佳实践、认证、授权、CSRF 防护、SQL 注入预防、XSS 预防和安全部署配置。
81
62%
Does it follow best practices?
Impact
95%
1.17xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/zh-CN/skills/django-security/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description effectively lists specific Django security capabilities with strong, natural trigger terms that developers would use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The Chinese language is consistent throughout and the topics are well-scoped.
Suggestions
Add an explicit 'Use when...' clause, e.g., '当用户询问 Django 安全配置、防护漏洞、认证授权实现时使用此技能' to improve completeness.
Consider adding common variations or English equivalents of key terms (e.g., 'security best practices', 'CSRF protection') to broaden trigger term coverage for bilingual users.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions/topics: authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configuration. These are clearly defined security domains. | 3 / 3 |
Completeness | Clearly answers 'what does this do' by listing specific security practices, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Contains strong natural keywords users would use: 'Django', '安全' (security), 'CSRF', 'SQL 注入' (SQL injection), 'XSS', '认证' (authentication), '授权' (authorization), '部署' (deployment). These are terms developers naturally use when seeking Django security help. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Django' with specific security topics (CSRF, SQL injection, XSS, authentication, authorization, secure deployment) creates a clear niche that is unlikely to conflict with general Django skills or generic security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides comprehensive, executable Django security code examples covering many important topics, which is its primary strength. However, it is excessively verbose and monolithic — it reads more like a full tutorial or documentation page than a concise skill file. It lacks workflow sequencing, validation checkpoints (like `manage.py check --deploy`), and any progressive disclosure to separate files for the many distinct subtopics covered.
Suggestions
Split into a concise SKILL.md overview with a security checklist and quick-start settings, then reference separate files for each topic (e.g., AUTH.md, XSS.md, CSRF.md, API_SECURITY.md).
Remove explanations of concepts Claude already knows (e.g., what CSRF is, what XSS is, how Django ORM works) and focus only on project-specific patterns and non-obvious configurations.
Add a concrete workflow with validation steps, such as running `python manage.py check --deploy` after configuration and verifying security headers with a curl command.
Trim boilerplate code that is readily available in Django docs (e.g., the full AJAX CSRF cookie function, verbose password validator list) and replace with concise references or one-liners.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, covering many topics Django developers and Claude already know well. It explains basic concepts like what custom user models are, includes boilerplate code (e.g., full AJAX cookie-fetching function, verbose password validator config), and has unnecessary commentary like 'Security is a process, not a product.' Much of this is standard Django documentation content. | 1 / 3 |
Actionability | The skill provides fully executable, copy-paste ready code examples throughout — production settings, custom user models, ORM usage patterns, DRF permissions, file validators, middleware classes, and logging configuration. Code is concrete and complete with clear GOOD/BAD annotations. | 3 / 3 |
Workflow Clarity | The content is organized by security topic with a checklist at the end, but there's no clear workflow sequence for implementing security measures, no validation/verification steps (e.g., running `python manage.py check --deploy`), and no feedback loops for auditing or testing security configurations. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. All content — production settings, authentication, authorization, SQL injection, XSS, CSRF, file uploads, API security, CSP, environment variables, and logging — is crammed into a single file with no progressive disclosure or navigation to separate detailed guides. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (594 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Repository
- affaan-m/everything-claude-code
- Commit
5df943e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.