csrf-protection
Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes. Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication.
90
86%
Does it follow best practices?
Impact
94%
1.23xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific CSRF protection techniques and provides explicit usage triggers. The description uses proper third-person voice and covers both the 'what' and 'when' effectively. The main weakness is moderate trigger term coverage - it could benefit from including common variations like 'cross-site request forgery' or 'XSRF'.
Suggestions
Add common trigger term variations such as 'cross-site request forgery', 'XSRF', or 'anti-forgery tokens' to improve discoverability when users use different terminology.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'synchronizer tokens, double-submit cookies, and SameSite attributes' - these are distinct, technical implementation approaches that clearly describe what the skill does. | 3 / 3 |
Completeness | Clearly answers both what ('Implements CSRF protection using synchronizer tokens, double-submit cookies, and SameSite attributes') and when ('Use when securing web forms, protecting state-changing endpoints, or implementing defense-in-depth authentication'). | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'CSRF protection', 'web forms', 'state-changing endpoints', and 'authentication', but misses common user variations like 'cross-site request forgery', 'form security', 'token validation', or 'XSRF'. | 2 / 3 |
Distinctiveness Conflict Risk | CSRF protection is a specific security niche with distinct triggers; unlikely to conflict with general authentication, XSS, or other security skills due to explicit mention of CSRF-specific techniques. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong skill with excellent conciseness and actionability. The code examples are production-ready with proper security practices (timing-safe comparison, secure cookie settings). The main weakness is the lack of an explicit implementation workflow with validation steps to verify the protection is working correctly.
Suggestions
Add a brief implementation workflow section with steps like: 1) Add middleware, 2) Update forms, 3) Test by attempting cross-origin POST without token, 4) Verify 403 response
Include a simple verification step or test command to confirm CSRF protection is active
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, presenting only essential information without explaining what CSRF is or how browsers work. Every section delivers actionable content without padding. | 3 / 3 |
Actionability | Provides fully executable code examples for Express middleware, session configuration, and HTML form integration. The code is copy-paste ready with proper crypto usage and timing-safe comparison. | 3 / 3 |
Workflow Clarity | While the individual components are clear, there's no explicit workflow for implementing CSRF protection end-to-end. Missing validation checkpoints like 'test your protection by attempting a cross-origin request' or verification steps after implementation. | 2 / 3 |
Progressive Disclosure | Well-structured with a clear overview table, focused core examples, and appropriate delegation to references/python-react.md for additional implementations. Navigation is clear and one level deep. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
90d6bd7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.