CtrlK
BlogDocsLog inGet started
Tessl Logo

304-frameworks-spring-boot-security

Use when you need to design, review, or improve security in Spring Boot applications — including SecurityFilterChain, OAuth2/JWT resource server patterns, form login basics, method security (@PreAuthorize), CSRF and CORS for APIs, session fixation, security headers, exception handling, password encoding, and sensitive-data-safe logging. This should trigger for requests such as Add Spring Boot security support; Review Spring Boot security configuration; Improve API authorization in Spring Boot; Add JWT resource server security in Spring Boot; Harden Spring Boot security headers and CSRF settings. Part of Plinth Toolkit

75

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

85%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A concise, well-organized overview with an excellent validation-gated workflow and clean one-level-deep reference structure. Its main weakness is actionability: the actual security patterns are deferred entirely to the reference file, leaving the body without executable code examples for the core task.

Suggestions

Add 1–2 short inline examples of the most common patterns (e.g., a minimal SecurityFilterChain bean and an @PreAuthorize annotation) so the core task is actionable without opening the reference.

Pin or contextualize the `metadata.version: 0.17.0` value only if it carries time-sensitive meaning; otherwise it risks the version-number conciseness penalty.

DimensionReasoningScore

Conciseness

The body is lean (under ~50 lines), assumes Claude's competence, and adds no tutorial filler explaining what Spring Security or CSRF is — every section earns its place. Matches the score-3 anchor of lean, efficient content. Not score 2 because there is no unnecessary explanation or padding to tighten.

3 / 3

Actionability

Concrete, executable commands are present ("Run `./mvnw compile`", "Run `./mvnw clean verify`") and a specific reference path is named, but the core security guidance is delegated entirely to the external reference with no inline examples of SecurityFilterChain/@PreAuthorize patterns to act on. Matches the score-2 anchor of some concrete guidance but incomplete; not score 3 because key implementation details are not executable in-place, and not score 1 because real commands and a concrete reference path are given.

2 / 3

Workflow Clarity

A clear 4-step sequence is given (read reference → gather scope → apply changes → verify) with explicit validation checkpoints: "MANDATORY: Run `./mvnw compile`... before applying any change", "SAFETY: If compilation fails, stop immediately", and "VERIFY: Run `./mvnw clean verify`... after applying improvements". This matches the score-3 anchor of a clear sequence with explicit validation and a safety feedback loop. Not score 2 because validation checkpoints and the stop-on-failure loop are explicit.

3 / 3

Progressive Disclosure

SKILL.md is a concise overview that signals a single one-level-deep reference ([references/304-frameworks-spring-boot-security.md](references/304-frameworks-spring-boot-security.md)), and that file exists in the bundle, with the reference named consistently in the Workflow and Reference sections. Matches the score-3 anchor of a clear overview with well-signaled one-level-deep references. Not score 2 because navigation is clear and the reference is real and not deeply nested.

3 / 3

Total

11

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, specific description that explicitly states both what it does and when to use it, with natural trigger sentences and a well-scoped Spring Boot security niche. Voice is appropriately third-person and it avoids vague fluff; the only minor redundancy is the trigger phrases repeating the same topics already named in the capability list.

DimensionReasoningScore

Specificity

Lists many concrete actions and objects — "design, review, or improve security", "SecurityFilterChain, OAuth2/JWT resource server patterns, form login basics, method security (@PreAuthorize), CSRF and CORS for APIs, session fixation, security headers, exception handling, password encoding, and sensitive-data-safe logging" — matching the score-3 anchor of multiple specific concrete actions. Not score 2 because the enumeration is comprehensive rather than a partial domain mention.

3 / 3

Completeness

It answers both what ("design, review, or improve security in Spring Boot applications — including SecurityFilterChain, OAuth2/JWT...") and when ("Use when you need to..." plus "This should trigger for requests such as...") with explicit triggers, matching the score-3 anchor. Not score 2 because an explicit 'when' clause is present rather than merely implied.

3 / 3

Trigger Term Quality

Explicit natural trigger phrases users would say are given verbatim: "Add Spring Boot security support; Review Spring Boot security configuration; Improve API authorization in Spring Boot; Add JWT resource server security in Spring Boot; Harden Spring Boot security headers and CSRF settings". This matches the score-3 anchor of good coverage of natural terms. Not score 2 because the triggers are varied, natural request sentences rather than sparse keyword coverage.

3 / 3

Distinctiveness Conflict Risk

Scoped tightly to Spring Boot security with distinctive terms (SecurityFilterChain, @PreAuthorize, JWT resource server) that are unlikely to fire for non-Spring or non-security skills, matching the score-3 clear-niche anchor. The "Part of Plinth Toolkit" suffix is harmless provenance. Not score 2 because the niche is concrete and the triggers are domain-specific rather than overlapping with generic skills.

3 / 3

Total

12

/

12

Passed

Validation

100%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation16 / 16 Passed

Validation for skill structure

No warnings or errors.

Repository
jabrena/plinth
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.