validating-csrf-protection
This skill helps to identify Cross-Site Request Forgery (CSRF) vulnerabilities in web applications. It validates the implementation of CSRF protection mechanisms, such as synchronizer tokens, double-submit cookies, SameSite attributes, and origin validation. Use this skill when you need to analyze your application's security posture against CSRF attacks or when asked to "validate csrf", "check for csrf vulnerabilities", or "test csrf protection".
63
53%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/csrf-protection-validator/skills/csrf-protection-validator/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly identifies its domain (CSRF vulnerability detection), lists specific capabilities (synchronizer tokens, double-submit cookies, SameSite attributes, origin validation), and provides explicit trigger guidance with natural user phrases. The only minor issue is the use of second person ('your application's') which slightly deviates from the preferred third-person voice, but overall the description is well-crafted and highly functional for skill selection.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: identify CSRF vulnerabilities, validate CSRF protection mechanisms, and enumerates specific mechanisms like synchronizer tokens, double-submit cookies, SameSite attributes, and origin validation. | 3 / 3 |
Completeness | Clearly answers both 'what' (identifies CSRF vulnerabilities, validates CSRF protection mechanisms including specific types) and 'when' (explicit 'Use this skill when...' clause with concrete trigger phrases like 'validate csrf', 'check for csrf vulnerabilities', 'test csrf protection'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'CSRF', 'Cross-Site Request Forgery', 'csrf vulnerabilities', 'csrf protection', 'validate csrf', 'check for csrf vulnerabilities', 'test csrf protection', and 'web applications'. Good coverage of natural trigger terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on CSRF vulnerabilities specifically, with distinct trigger terms that are unlikely to conflict with other security skills (e.g., XSS, SQL injection). The enumeration of specific CSRF mechanisms further narrows the scope. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content is almost entirely descriptive and abstract, providing no actionable guidance for actually detecting CSRF vulnerabilities. It reads like a marketing description of a feature rather than an instruction set for Claude. There are no code examples, no specific checks to perform, no tool commands, and no concrete methodology—just repeated high-level descriptions of what the skill supposedly does.
Suggestions
Replace the abstract examples with concrete, executable code showing how to check for CSRF tokens in HTML forms, inspect cookie SameSite attributes, or validate Origin/Referer headers (e.g., using Python requests or curl commands).
Add a specific checklist of what to inspect: form hidden fields, cookie flags, response headers, endpoint HTTP methods—with exact patterns to look for and what constitutes a vulnerability.
Remove the 'When to Use This Skill', 'Best Practices', and 'Integration' sections entirely—they add no actionable information and waste tokens on concepts Claude already understands.
Add a concrete report output format (e.g., a JSON schema or markdown template) so Claude knows exactly what to produce when generating a CSRF vulnerability report.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows (what CSRF is, what SameSite attributes are, what double-submit cookies are). The 'Overview', 'When to Use', and 'Best Practices' sections are padded with generic information that adds no actionable value. The 'Integration' section is pure filler. | 1 / 3 |
Actionability | There is no concrete code, no specific commands, no executable examples, and no actual methodology for detecting CSRF vulnerabilities. The examples describe what the skill 'will do' in abstract terms rather than providing concrete steps, code snippets, or specific checks to perform. It describes rather than instructs. | 1 / 3 |
Workflow Clarity | The 'How It Works' section lists three vague steps (analyze, assess, generate report) with no specifics on how to actually perform any of them. There are no validation checkpoints, no concrete sequences, and no feedback loops. The examples repeat the same vague three-step pattern without actionable detail. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with clear section headers, but it's a monolithic document with no references to supporting files. Given there are no bundle files, this is somewhat acceptable, but the content that is present is poorly organized—repetitive sections (Overview, How It Works, When to Use, Examples all say roughly the same thing) rather than a clear hierarchy. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.