springboot-security
Java Spring Boot 服务中认证/授权、验证、CSRF、密钥、标头、速率限制和依赖安全性的 Spring Security 最佳实践。
82
56%
Does it follow best practices?
Impact
100%
1.08xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/zh-CN/skills/springboot-security/SKILL.mdQuality
Discovery
47%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively identifies its domain (Spring Security in Java Spring Boot) and lists relevant security topics with good trigger terms. However, it lacks concrete action verbs describing what the skill does and entirely omits a 'Use when...' clause, making it unclear when Claude should select this skill over others. Adding explicit trigger guidance and action-oriented language would significantly improve its effectiveness.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about securing a Spring Boot application, configuring Spring Security, handling CSRF protection, or managing authentication/authorization in Java.'
Replace the passive 'best practices' framing with concrete actions, e.g., 'Configures Spring Security for authentication/authorization, implements CSRF protection, manages secrets, sets security headers, and audits dependencies for vulnerabilities.'
Consider narrowing scope or grouping sub-topics to reduce potential overlap with general web security or Java dependency management skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Java Spring Boot / Spring Security) and lists several security areas (authentication/authorization, validation, CSRF, secrets, headers, rate limiting, dependency security), but these are topic areas rather than concrete actions. It doesn't specify what actions are performed (e.g., 'configure', 'audit', 'implement'). | 2 / 3 |
Completeness | The description answers 'what' (Spring Security best practices across several areas) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and since the 'what' is also somewhat vague (best practices rather than concrete actions), this scores a 1. | 1 / 3 |
Trigger Term Quality | Contains strong natural trigger terms that users would actually say: 'Spring Security', 'Spring Boot', 'CSRF', 'rate limiting', 'authentication', 'authorization', 'validation', 'dependency security'. These cover a good range of terms a developer would use when seeking security guidance. | 3 / 3 |
Distinctiveness Conflict Risk | The focus on Spring Security specifically is fairly distinctive, but the broad scope covering authentication, validation, headers, and dependencies could overlap with general Java security skills, web security skills, or dependency management skills. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable Spring Security reference with excellent executable code examples covering all major security concerns. Its main weaknesses are its monolithic structure (all content inline with no progressive disclosure) and the lack of an explicit workflow sequence or validation feedback loops for applying security measures. The content could be tightened by removing BAD/GOOD comparisons where the good pattern alone suffices.
Suggestions
Split detailed sections (rate limiting, CORS, security headers, file upload) into separate reference files and link from a concise overview in SKILL.md
Add an explicit ordered workflow for security hardening a new Spring Boot service, with validation checkpoints (e.g., 'run integration tests after adding auth filter', 'verify dependency scan passes before merge')
Remove redundant BAD examples where the GOOD pattern alone is sufficient — Claude can infer anti-patterns from the correct approach
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary explanations (e.g., 'BAD/GOOD' comparisons that Claude would understand from a single good example). The 'When to activate' section is somewhat redundant given the title and description. However, most content is reasonably dense and the code examples are practical. | 2 / 3 |
Actionability | Every section provides fully executable, copy-paste-ready Java code examples with proper imports and annotations. The examples cover JWT filters, authorization annotations, Bean Validation DTOs, parameterized queries, password encoding, CSRF config, CORS config, rate limiting, and security headers — all concrete and specific. | 3 / 3 |
Workflow Clarity | The skill covers many security topics but presents them as independent sections rather than a sequenced workflow. The 'Release Checklist' at the end provides a useful validation checkpoint, but there's no explicit workflow for how to apply these security measures in order, and no feedback loops for verifying security configurations are correct (e.g., testing auth, running dependency scans and handling failures). | 2 / 3 |
Progressive Disclosure | The content is a long monolithic document (~200+ lines) with no references to external files. Several sections (rate limiting, CORS, security headers) could be split into separate reference files. The structure uses clear headings which aids navigation, but for this volume of content, a quick-start overview with links to detailed sections would be more appropriate. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- affaan-m/everything-claude-code
- Commit
928076c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.