springboot-security
Java Spring Boot 服务中认证/授权、验证、CSRF、密钥、标头、速率限制和依赖安全性的 Spring Security 最佳实践。
82
56%
Does it follow best practices?
Impact
100%
1.08xAverage score across 6 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./docs/zh-CN/skills/springboot-security/SKILL.mdQuality
Discovery
47%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively identifies its domain (Spring Security in Java Spring Boot) and lists relevant security topics with good trigger terms. However, it lacks concrete action verbs describing what the skill actually does (e.g., 'reviews code for', 'configures', 'generates') and critically omits any 'Use when...' guidance, making it harder for Claude to know when to select this skill over others.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about securing a Spring Boot application, configuring Spring Security, or reviewing Java code for security vulnerabilities.'
Replace the generic 'best practices' framing with concrete actions, e.g., 'Reviews and configures authentication/authorization, validates input, prevents CSRF attacks, manages secrets, sets security headers, implements rate limiting, and audits dependencies for vulnerabilities.'
Consider adding file type or context triggers such as 'SecurityConfig.java', 'pom.xml dependencies', or 'Spring Security filter chain' to improve distinctiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Java Spring Boot / Spring Security) and lists several security areas (authentication/authorization, validation, CSRF, secrets, headers, rate limiting, dependency security), but these are topic areas rather than concrete actions. It says 'best practices' but doesn't specify what actions are performed (e.g., 'configure', 'audit', 'generate'). | 2 / 3 |
Completeness | The description answers 'what' (Spring Security best practices across several areas) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' itself is also somewhat weak (topic listing rather than concrete actions), bringing it to 1. | 1 / 3 |
Trigger Term Quality | Contains strong natural trigger terms that users would actually say: 'Spring Security', 'Spring Boot', 'authentication', 'authorization', 'CSRF', 'rate limiting', 'dependency security', 'validation', 'headers', 'secrets'. These cover a good range of terms a developer would use when seeking security guidance. | 3 / 3 |
Distinctiveness Conflict Risk | The focus on Spring Security specifically is fairly distinctive, but the broad scope covering authentication, validation, headers, rate limiting, and dependency security could overlap with general security skills, Java development skills, or web security skills. The Spring Boot/Spring Security framing helps but isn't fully disambiguating. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable Spring Security reference with excellent concrete code examples covering a wide range of security concerns. Its main weaknesses are its monolithic length (could benefit from progressive disclosure into sub-files) and the lack of explicit verification/testing steps within workflows. Some minor verbosity exists in explanatory bullets that state security truisms Claude already knows.
Suggestions
Split detailed code examples for individual topics (JWT auth, CORS, rate limiting, etc.) into separate referenced files, keeping SKILL.md as a concise overview with links.
Add verification steps within key sections, e.g., 'Test JWT filter by sending a request without a token and confirming 401 response' or 'Verify CORS by checking browser preflight responses'.
Remove obvious security advice Claude already knows (e.g., 'never store plaintext passwords', 'never concatenate strings in SQL') and focus on the Spring-specific implementation patterns.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary explanatory text (e.g., 'When to activate' section restates obvious triggers, some bullet points explain concepts Claude already knows like 'never store plaintext passwords'). The code examples are well-chosen but the overall document is lengthy (~200 lines) and could be tightened by removing obvious advice. | 2 / 3 |
Actionability | Excellent actionability with fully executable Java code examples for JWT filters, authorization controllers, input validation DTOs, SQL injection prevention, password encoding, CSRF config, CORS config, rate limiting, and security headers. Each section provides concrete, copy-paste-ready code with clear BAD/GOOD comparisons where appropriate. | 3 / 3 |
Workflow Clarity | The skill presents individual security concerns clearly but lacks a cohesive workflow sequence for implementing security holistically. The 'Release Checklist' at the end is a good validation step, but there are no explicit feedback loops or verification steps within individual sections (e.g., how to test that JWT auth works, how to verify CORS is correctly configured). For a security review skill involving potentially destructive configuration changes, this is a gap. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear section headers, but it's a monolithic document covering 12+ security topics in a single file. Topics like rate limiting, CORS configuration, and dependency security could be split into referenced files. No bundle files are provided, and no references to external detailed guides exist, making this a long single-file skill. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- affaan-m/everything-claude-code
- Commit
841beea
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.