validating-csrf-protection
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill validating-csrf-protectionThis skill helps to identify Cross-Site Request Forgery (CSRF) vulnerabilities in web applications. It validates the implementation of CSRF protection mechanisms, such as synchronizer tokens, double-submit cookies, SameSite attributes, and origin validation. Use this skill when you need to analyze your application's security posture against CSRF attacks or when asked to "validate csrf", "check for csrf vulnerabilities", or "test csrf protection".
Validation
69%| Criteria | Description | Result |
|---|---|---|
description_voice | 'description' should use third person voice; found second person: 'your ' | Warning |
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
Total | 11 / 16 Passed | |
Implementation
7%This skill content is conceptual and descriptive rather than actionable. It explains what CSRF validation involves at a high level but provides no concrete code, commands, or specific steps Claude can execute. The content assumes Claude needs to be told what CSRF is and when to check for it, rather than providing the specific technical guidance needed to actually perform the validation.
Suggestions
Add executable code examples showing how to check for CSRF tokens in HTML forms, validate SameSite cookie attributes, or test endpoints with curl/requests
Replace abstract 'How It Works' steps with concrete commands or scripts Claude should run (e.g., specific grep patterns, HTTP request examples, code to parse cookies)
Include specific validation criteria - what constitutes a properly implemented CSRF token, what SameSite values are acceptable, what headers to check for origin validation
Remove sections explaining when to use the skill and what CSRF is - Claude already knows this; focus on the specific technical implementation details
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Verbose and padded with unnecessary context. Explains what CSRF is and how the skill works conceptually, which Claude already knows. Sections like 'How It Works', 'When to Use This Skill', and 'Best Practices' contain generic information that doesn't add actionable value. | 1 / 3 |
Actionability | No concrete code, commands, or executable guidance provided. The examples describe what the skill 'will do' abstractly rather than showing actual commands, code snippets, or specific steps Claude should take to perform CSRF validation. | 1 / 3 |
Workflow Clarity | Steps are vague and abstract ('Analyze Endpoints', 'Assess Protection Mechanisms'). No specific validation checkpoints, no concrete sequence of actions, and no guidance on what tools or methods to use for each step. | 1 / 3 |
Progressive Disclosure | Content is organized into sections with headers, but it's a monolithic document with no references to external files for detailed guidance. The structure exists but content that could be split (detailed examples, API reference) is either missing or inline. | 2 / 3 |
Total | 5 / 12 Passed |
Activation
100%This is a well-crafted skill description that excels across all dimensions. It provides specific capabilities (identifying CSRF vulnerabilities, validating protection mechanisms), includes comprehensive trigger terms users would naturally use, and has an explicit 'Use this skill when...' clause. The only minor issue is the use of second person ('your application's') which slightly deviates from the preferred third person voice, but this doesn't significantly impact the description's effectiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'identify Cross-Site Request Forgery (CSRF) vulnerabilities', 'validates the implementation of CSRF protection mechanisms', and enumerates specific mechanisms like 'synchronizer tokens, double-submit cookies, SameSite attributes, and origin validation'. | 3 / 3 |
Completeness | Clearly answers both what (identifies CSRF vulnerabilities, validates protection mechanisms) AND when with explicit 'Use this skill when...' clause containing specific trigger phrases like 'validate csrf', 'check for csrf vulnerabilities', 'test csrf protection'. | 3 / 3 |
Trigger Term Quality | Includes excellent natural keywords users would say: 'CSRF', 'Cross-Site Request Forgery', 'validate csrf', 'check for csrf vulnerabilities', 'test csrf protection', 'security posture', and 'CSRF attacks'. Good coverage of both full terms and abbreviations. | 3 / 3 |
Distinctiveness Conflict Risk | Very clear niche focused specifically on CSRF vulnerabilities with distinct triggers. Unlikely to conflict with other security skills due to the specific focus on CSRF rather than general security testing. | 3 / 3 |
Total | 12 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.