springboot-security
Java Spring Boot 服务中关于身份验证/授权、验证、CSRF、密钥、标头、速率限制和依赖安全的 Spring Security 最佳实践。
Install with Tessl CLI
npx tessl i github:affaan-m/everything-claude-code --skill springboot-security71
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
47%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively lists relevant security domains within Spring Boot/Spring Security context and uses good technical keywords that developers would naturally search for. However, it lacks concrete action verbs (what the skill actually does) and completely omits trigger guidance (when to use it), which significantly limits Claude's ability to select this skill appropriately.
Suggestions
Add a 'Use when...' clause specifying triggers like 'Use when implementing security in Spring Boot applications, configuring authentication flows, or reviewing Spring Security configurations'
Replace 'best practices' with concrete actions such as 'Configure authentication/authorization, implement CSRF protection, set up rate limiting, audit dependency vulnerabilities'
Add file type triggers if applicable, such as 'when working with SecurityConfig.java, application.yml security settings, or pom.xml security dependencies'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Java Spring Boot, Spring Security) and lists several security areas (authentication/authorization, validation, CSRF, keys, headers, rate limiting, dependency security), but describes them as 'best practices' rather than concrete actions like 'configure', 'implement', or 'audit'. | 2 / 3 |
Completeness | Describes what the skill covers (Spring Security best practices across various areas) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Contains strong natural keywords users would say: 'Spring Security', 'Spring Boot', 'authentication', 'authorization', 'CSRF', 'rate limiting', 'validation'. These are terms developers naturally use when seeking security guidance. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Spring Security' with specific security topics (CSRF, rate limiting, etc.) provides some distinctiveness, but could overlap with general Java security skills or broader web security skills without clearer boundaries. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable Spring Security reference skill with excellent conciseness and executable code examples. The main weaknesses are the lack of explicit workflow sequencing for implementing security measures and missing progressive disclosure to external references for advanced topics. The checklist is valuable but would benefit from being integrated into a clearer implementation workflow.
Suggestions
Add a brief implementation workflow section that sequences when to apply each security measure (e.g., 'Start with authentication -> add authorization -> configure headers -> add rate limiting')
Include validation commands or test approaches to verify each security configuration is working correctly (e.g., how to test JWT validation, how to verify CSRF is properly configured)
Consider linking to separate reference files for complex topics like custom validators, Bucket4j setup, or vault integration patterns
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, presenting security practices as concise bullet points with minimal explanation. It assumes Claude understands Spring Security concepts and doesn't waste tokens explaining what JWT, CSRF, or SQL injection are. | 3 / 3 |
Actionability | Provides fully executable Java code examples for JWT authentication, CSRF configuration, and security headers. The code is copy-paste ready with proper imports implied and realistic implementation patterns. | 3 / 3 |
Workflow Clarity | The checklist at the end provides good validation steps, but the document lacks explicit sequencing for multi-step security implementation. There's no clear workflow for how to apply these practices in order or feedback loops for verifying security configurations work correctly. | 2 / 3 |
Progressive Disclosure | Content is well-organized into clear sections with headers, but it's a monolithic document with no references to external files for deeper topics like custom validators, Bucket4j configuration, or vault integration that could benefit from separate detailed guides. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.