csrf-protection-validator
Csrf Protection Validator - Auto-activating skill for Security Fundamentals. Triggers on: csrf protection validator, csrf protection validator Part of the Security Fundamentals skill category.
35
Quality
3%
Does it follow best practices?
Impact
95%
0.96xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/csrf-protection-validator/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is severely lacking in substance - it reads more like a category label than a functional skill description. It provides no concrete actions, no natural trigger terms users would say, and no guidance on when Claude should select this skill. The repeated trigger term and boilerplate structure suggest auto-generated content without meaningful customization.
Suggestions
Add specific actions the skill performs, e.g., 'Validates CSRF token implementation, checks form protection, analyzes request headers for anti-forgery tokens'
Include a 'Use when...' clause with natural trigger terms like 'Use when reviewing form security, checking for cross-site request forgery vulnerabilities, or validating token-based protection'
Add common user phrasings and variations: 'CSRF', 'cross-site request forgery', 'form tokens', 'anti-forgery', 'request validation'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description contains no concrete actions - only the name 'Csrf Protection Validator' and meta-information about it being 'auto-activating' and part of a category. No actual capabilities like 'validates tokens', 'checks headers', or 'analyzes forms' are mentioned. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' (no actions described) and 'when should Claude use it' (no 'Use when...' clause or equivalent guidance). It only provides category metadata. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'csrf protection validator' repeated twice, which is technical jargon users are unlikely to naturally say. Missing common variations like 'cross-site request forgery', 'form tokens', 'security tokens', or 'CSRF attack'. | 1 / 3 |
Distinctiveness Conflict Risk | While 'CSRF' is a specific security domain, the lack of concrete actions means it could overlap with other security-related skills. The term 'Security Fundamentals' is generic and doesn't help distinguish this from other security skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is essentially a placeholder template with no actual CSRF protection validation guidance. It contains only generic meta-descriptions of what a skill should do without any concrete implementation details, code examples, or actionable instructions. The content fails to teach Claude anything about CSRF protection validation.
Suggestions
Add concrete code examples showing how to validate CSRF tokens in common frameworks (e.g., Django, Express, Rails)
Include a clear workflow: 1) Identify form endpoints, 2) Check for token presence, 3) Validate token implementation, 4) Test bypass scenarios
Provide specific validation checks such as token entropy requirements, same-site cookie settings, and referer header validation
Remove all generic boilerplate text and replace with actionable CSRF-specific guidance
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that explains nothing specific about CSRF protection. Phrases like 'provides automated assistance' and 'follows industry best practices' are filler that Claude already understands. | 1 / 3 |
Actionability | No concrete code, commands, or specific guidance on how to actually validate CSRF protection. The content describes what the skill does abstractly but provides zero executable instructions or examples. | 1 / 3 |
Workflow Clarity | No workflow is defined. There are no steps, no validation checkpoints, and no actual process for CSRF protection validation. The 'step-by-step guidance' mentioned is never actually provided. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of generic text with no structure pointing to detailed materials. No references to implementation guides, examples, or related documentation are provided. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
994edc4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.