csrf-protection-validator
Csrf Protection Validator - Auto-activating skill for Security Fundamentals. Triggers on: csrf protection validator, csrf protection validator Part of the Security Fundamentals skill category.
33
0%
Does it follow best practices?
Impact
95%
0.96xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/csrf-protection-validator/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that repeats the skill name and category without providing any meaningful information about what the skill does or when it should be used. It lacks concrete actions, natural trigger terms, explicit usage guidance, and distinctive characteristics that would help Claude select it appropriately from a pool of skills.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Validates CSRF token implementation in web forms, checks for missing anti-CSRF headers, and verifies token rotation policies.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about CSRF protection, cross-site request forgery, form security tokens, anti-CSRF measures, or web application security audits.'
Remove the duplicate trigger term ('csrf protection validator' is listed twice) and expand with natural variations users might use, such as 'CSRF token', 'cross-site request forgery', 'form tampering protection'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions. It says 'Csrf Protection Validator' and 'Auto-activating skill for Security Fundamentals' but never describes what it actually does — no verbs like 'validates', 'checks', 'scans', or any specific capabilities. | 1 / 3 |
Completeness | Neither 'what does this do' nor 'when should Claude use it' is meaningfully answered. There is no 'Use when...' clause, and the description only states the skill name and category without explaining functionality or trigger conditions. | 1 / 3 |
Trigger Term Quality | The trigger terms are just 'csrf protection validator' repeated twice. Users are unlikely to say this exact phrase; they would more naturally say things like 'CSRF token', 'cross-site request forgery', 'form security', 'anti-CSRF', or 'protect against CSRF attacks'. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that it could overlap with any security-related skill. 'Security Fundamentals' is a broad category, and without specific actions or clear scope, it would be difficult to distinguish from other security skills. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty template with no actual content about CSRF protection validation. It contains only generic boilerplate phrases that could apply to any skill topic, with no concrete code, commands, validation steps, or domain-specific knowledge. It provides zero value to Claude beyond what the skill name alone conveys.
Suggestions
Add concrete, executable code examples showing CSRF token generation, embedding in forms/headers, and server-side validation (e.g., Python/Django, Node/Express, or framework-agnostic patterns).
Define a clear workflow: 1) Check for CSRF token presence, 2) Validate token against session, 3) Handle mismatches with specific error responses, 4) Verify SameSite cookie attributes.
Include specific validation checks such as verifying Origin/Referer headers, double-submit cookie patterns, and synchronizer token patterns with code examples for each.
Remove all generic boilerplate ('Provides step-by-step guidance', 'Follows industry best practices') and replace with actual OWASP-aligned CSRF prevention cheat sheet content.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and boilerplate. It explains nothing Claude doesn't already know, provides no actual CSRF-specific information, and pads the file with generic placeholder text like 'Provides step-by-step guidance' without any actual guidance. | 1 / 3 |
Actionability | There is zero concrete, executable guidance. No code examples, no specific commands, no validation logic, no CSRF token implementation patterns—just vague descriptions like 'Generates production-ready code and configurations' without actually doing so. | 1 / 3 |
Workflow Clarity | No workflow is defined at all. For a CSRF protection validator, there should be clear steps for checking token presence, validating tokens, handling failures, etc. None of this exists. | 1 / 3 |
Progressive Disclosure | The content is a monolithic block of generic text with no references to supporting files, no structured navigation, and no bundle files to support it. There is nothing to progressively disclose because there is no substantive content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.