124-java-secure-coding
Use when you need to apply Java secure coding best practices — including validating untrusted inputs, defending against injection attacks with parameterized queries, minimizing attack surface via least privilege, applying strong cryptographic algorithms, handling exceptions securely without exposing sensitive data, managing secrets at runtime, avoiding unsafe deserialization, and encoding output to prevent XSS. Part of the skills-for-java project
64
55%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/124-java-secure-coding/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at listing specific security capabilities and techniques, making it clear what the skill covers. However, the trigger terms lean heavily toward technical jargon rather than natural user language, and the 'when' guidance could be more explicit about user scenarios (e.g., 'when reviewing Java code for vulnerabilities' or 'when asked about secure coding in Java').
Suggestions
Add more natural trigger phrases users might say, such as 'security review', 'check for vulnerabilities', 'make my Java code secure', or 'security audit'
Strengthen the 'Use when' clause with explicit user scenarios like 'Use when reviewing Java code for security issues, implementing authentication/authorization, or when the user asks about secure coding practices in Java'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: validating untrusted inputs, defending against injection attacks with parameterized queries, applying strong cryptographic algorithms, handling exceptions securely, managing secrets, avoiding unsafe deserialization, and encoding output to prevent XSS. | 3 / 3 |
Completeness | Has a 'Use when' clause but it's positioned at the start and only says 'need to apply Java secure coding best practices' which is somewhat vague. The 'what' is well-covered with specific techniques, but the 'when' trigger guidance lacks explicit user-facing scenarios. | 2 / 3 |
Trigger Term Quality | Contains good technical terms like 'injection attacks', 'XSS', 'parameterized queries', 'cryptographic', 'deserialization', but these are more developer jargon than natural user phrases. Missing simpler variations like 'security review', 'secure my code', 'vulnerability check'. | 2 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Java security specifically with distinct triggers like 'Java secure coding', 'injection attacks', 'XSS', 'deserialization'. The combination of Java + security + specific vulnerability types creates a clear niche unlikely to conflict with general coding or other language skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill serves primarily as a table of contents pointing to a reference file rather than providing actionable guidance itself. While it has good structure and appropriate progressive disclosure, it lacks any concrete code examples or executable patterns, forcing complete reliance on the external reference. The compilation/verification workflow is a strength but the core secure coding guidance is too abstract.
Suggestions
Add at least 2-3 concrete code examples directly in the skill (e.g., a PreparedStatement example for SQL injection prevention, a BCrypt password hashing snippet) to make the skill actionable without requiring reference lookup
Include a feedback loop in the workflow for what to do if verification fails after applying changes (e.g., 'If verify fails: review error, revert problematic change, re-verify')
Replace the verbose 'What is covered' bullet list with a more concise summary table or reduce each item to essential keywords only
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary explanation in the 'What is covered' section that could be more terse. The bullet list format is good but some items are verbose (e.g., 'load credentials from environment variables or secret managers — never hardcoded'). | 2 / 3 |
Actionability | The skill provides no concrete code examples, commands beyond compile/verify, or executable guidance. It describes what secure coding covers but delegates all actual implementation details to a reference file, leaving Claude with vague direction like 'Apply recommendations based on applicable examples.' | 1 / 3 |
Workflow Clarity | The constraints section provides a clear sequence (compile -> apply changes -> verify) with an explicit validation checkpoint, but lacks feedback loops for what to do if verification fails after changes. The workflow for actually applying secure coding patterns is absent. | 2 / 3 |
Progressive Disclosure | The skill appropriately structures content as an overview with a single, clearly signaled reference to detailed guidance. The reference is one level deep and well-organized with clear navigation to the detailed examples file. | 3 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- jabrena/cursor-rules-java
- Commit
7772a1b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.