124-java-secure-coding
Use when you need to apply Java secure coding best practices — including validating untrusted inputs, defending against injection attacks with parameterized queries, minimizing attack surface via least privilege, applying strong cryptographic algorithms, handling exceptions securely without exposing sensitive data, managing secrets at runtime, avoiding unsafe deserialization, and encoding output to prevent XSS. Part of the skills-for-java project
77
71%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/124-java-secure-coding/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope as Java secure coding best practices, lists numerous specific concrete actions, and includes an explicit 'Use when' trigger clause. The trigger terms are natural and comprehensive, covering the major areas of application security that a developer would reference. The only minor weakness is the trailing 'Part of the skills-for-java project' which adds no selection value, but overall this is a well-crafted description.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists multiple specific concrete actions: validating untrusted inputs, defending against injection attacks with parameterized queries, minimizing attack surface via least privilege, applying strong cryptographic algorithms, handling exceptions securely, managing secrets at runtime, avoiding unsafe deserialization, and encoding output to prevent XSS. | 3 / 3 |
Completeness | The description explicitly answers both 'what' (a comprehensive list of secure coding practices) and 'when' ('Use when you need to apply Java secure coding best practices') with a clear trigger clause at the beginning. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would use: 'secure coding', 'injection attacks', 'parameterized queries', 'least privilege', 'cryptographic', 'XSS', 'deserialization', 'secrets', 'untrusted inputs'. These are terms developers naturally use when discussing Java security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | The description is clearly scoped to Java secure coding best practices with very specific security-related triggers (injection, XSS, deserialization, cryptography, secrets management). It is unlikely to conflict with general Java coding skills or non-security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill has good structure and progressive disclosure, with a clear reference to detailed content. However, it is critically lacking in actionability — it contains zero code examples (good or bad patterns) and relies entirely on the reference file for any concrete guidance. The overview reads more like a topic list than an actionable skill, and while the compile/verify workflow is useful, the core secure coding workflow is underspecified.
Suggestions
Add at least 2-3 inline code examples showing good vs. bad patterns for the most critical areas (e.g., PreparedStatement vs string concatenation for SQL injection, BCrypt usage for password hashing) so the skill is actionable without requiring the reference file.
Define a concrete workflow for applying secure coding improvements: e.g., 1) compile, 2) scan for specific vulnerability patterns, 3) apply fixes per category, 4) validate each fix compiles, 5) run full verify.
Remove or condense the 'What is covered' bullet list — it's descriptive rather than instructive. Replace with a quick-reference table of pattern → fix that Claude can act on directly.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The bullet list of covered topics is somewhat verbose and reads like a table of contents rather than actionable content. The introductory sentence and 'What is covered' section explain scope that could be more tightly integrated. However, it's not egregiously padded. | 2 / 3 |
Actionability | There are no concrete code examples, no executable commands beyond compile/verify, and no specific patterns shown. The skill describes what topics are covered but delegates all actual guidance to the reference file. Claude would not know exactly what to do from this content alone. | 1 / 3 |
Workflow Clarity | The constraints section provides a clear compile-before/verify-after sequence, which is good. However, the actual secure coding workflow (how to identify issues, apply fixes, validate security improvements) is absent — it just says 'read the reference.' The validation steps for compilation are present but the overall process lacks explicit checkpoints for the security review itself. | 2 / 3 |
Progressive Disclosure | The skill provides a clear overview with a well-signaled single-level reference to the detailed guidance file. The structure is clean: overview → constraints → when to use → reference link. This is appropriate progressive disclosure. | 3 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- jabrena/cursor-rules-java
- Commit
9ec21dd
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.