csrf-protection-validator
Csrf Protection Validator - Auto-activating skill for Security Fundamentals. Triggers on: csrf protection validator, csrf protection validator Part of the Security Fundamentals skill category.
35
3%
Does it follow best practices?
Impact
95%
0.96xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/csrf-protection-validator/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak across all dimensions. It reads as an auto-generated template that merely restates the skill name without describing any concrete capabilities, use cases, or natural trigger terms. It would be nearly impossible for Claude to reliably select this skill from a pool of alternatives based on this description alone.
Suggestions
Add concrete actions describing what the skill does, e.g., 'Validates CSRF token implementation in web forms, checks for missing anti-CSRF headers, and identifies cross-site request forgery vulnerabilities in web applications.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about CSRF protection, cross-site request forgery, form token validation, anti-CSRF tokens, or web application security against forged requests.'
Remove the duplicated trigger term ('csrf protection validator' listed twice) and replace with diverse natural language variations users would actually use, such as 'CSRF token', 'cross-site request forgery', 'form security', 'anti-CSRF'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions. It only names itself ('Csrf Protection Validator') and mentions 'Security Fundamentals' as a category, but never describes what it actually does—no verbs like 'validates', 'checks', 'scans', or any specific capabilities. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name itself, and the 'when' clause is essentially just the skill name repeated as a trigger. There is no explicit 'Use when...' guidance or meaningful trigger context. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'csrf protection validator' repeated twice. Users are unlikely to say this exact phrase; they would more naturally say things like 'CSRF token', 'cross-site request forgery', 'form security', 'anti-CSRF', or 'protect against CSRF attacks'. No natural keyword variations are provided. | 1 / 3 |
Distinctiveness Conflict Risk | The mention of 'CSRF' does narrow the domain somewhat compared to a fully generic 'security' skill, but the lack of specificity about what it validates or how it works means it could overlap with other security-related skills covering web vulnerabilities, form protection, or token validation. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is entirely a placeholder with no actionable content whatsoever. It contains only generic boilerplate text that could apply to any topic—there is nothing specific to CSRF protection validation. Claude would gain zero useful information from this skill that it doesn't already possess.
Suggestions
Replace the entire body with concrete CSRF protection validation steps: token generation, embedding in forms/headers, server-side validation logic, with executable code examples in at least one framework (e.g., Express.js, Django, or Spring).
Add a clear multi-step workflow with validation checkpoints, e.g.: 1) Check if CSRF middleware is configured, 2) Verify token is included in state-changing requests, 3) Validate token server-side, 4) Handle token mismatch errors.
Include specific code examples showing both vulnerable patterns and their secure counterparts, covering common frameworks and SPA scenarios (e.g., cookie-to-header token pattern).
Remove all generic filler sections (When to Use, Example Triggers, Capabilities) and replace with actionable content like common CSRF bypass patterns to check for and a validation checklist.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic filler text that provides no actual information about CSRF protection. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are empty claims with no substance. Claude already knows what CSRF is and doesn't need trigger examples. | 1 / 3 |
Actionability | There is zero concrete guidance—no code, no commands, no specific steps, no examples of CSRF token implementation, no validation logic. The entire content describes rather than instructs, offering only vague promises of capability. | 1 / 3 |
Workflow Clarity | No workflow is defined at all. CSRF protection validation is a multi-step process (token generation, embedding, server-side validation) and none of these steps are outlined. No validation checkpoints or error handling are mentioned. | 1 / 3 |
Progressive Disclosure | The content is a flat, monolithic block of generic text with no meaningful structure. Sections like 'Capabilities' and 'Example Triggers' contain no real content. There are no references to detailed materials, examples, or related documentation. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.