springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
57
48%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/springboot-security/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (Spring Security in Java Spring Boot) and enumerates several security subtopics, which provides moderate specificity and distinctiveness. However, it lacks a 'Use when...' clause, uses abbreviations instead of spelling out terms users might search for, and describes topics rather than concrete actions the skill performs.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about securing a Spring Boot application, configuring authentication/authorization, protecting against CSRF or XSS, or managing secrets.'
Spell out abbreviations and add common variations: replace 'authn/authz' with 'authentication, authorization, OAuth2, JWT' and add terms like 'XSS', 'password hashing', 'security configuration'.
Reframe as concrete actions rather than topic areas, e.g., 'Configures Spring Security for authentication and authorization, implements CSRF protection, manages secrets securely, sets security headers, and applies rate limiting.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists several security domains (authn/authz, validation, CSRF, secrets, headers, rate limiting, dependency security) but uses abbreviations and doesn't describe concrete actions—it says 'best practices for' these areas rather than specific actions like 'configure CSRF protection' or 'implement OAuth2 authentication'. | 2 / 3 |
Completeness | Describes what the skill covers (Spring Security best practices across several domains) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also only moderately clear, so this scores at 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'Spring Security', 'CSRF', 'rate limiting', 'Java Spring Boot', and 'secrets', which users might naturally mention. However, it misses common variations like 'OAuth', 'JWT', 'authentication', 'authorization' (spelled out), 'XSS', 'security headers', or 'password hashing'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'Spring Security' and 'Java Spring Boot' narrows the domain well, but it could overlap with general Java/Spring Boot skills or broader security-focused skills. The lack of explicit trigger conditions increases conflict risk. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security reference with excellent concrete code examples covering the major Spring Security concerns. Its main weaknesses are its monolithic length without progressive disclosure to separate files, and the lack of a clear sequential workflow with validation checkpoints for conducting a security review. Some minor verbosity could be trimmed where it explains concepts Claude already understands.
Suggestions
Add a brief sequential workflow at the top (e.g., 'Review auth → authorization → input validation → ...') with explicit validation/testing checkpoints between steps to guide the review process.
Split detailed code examples (rate limiting filter, CORS config, JWT filter) into referenced files like EXAMPLES.md or per-topic files, keeping only concise patterns in the main skill.
Remove explanatory phrases Claude already knows (e.g., 'never store plaintext', 'never concatenate strings') and trust the BAD/GOOD code examples to convey the point.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly efficient with good use of code examples and bullet points, but it's quite long (~200 lines) and some sections explain things Claude already knows (e.g., 'never store plaintext' passwords, basic SQL injection concepts). The BAD/GOOD pattern, while useful, adds bulk. Some sections like 'Dependency Security', 'Logging and PII', and 'File Uploads' are too terse to be useful yet still consume tokens. | 2 / 3 |
Actionability | Nearly every section includes fully executable, copy-paste-ready Java code examples with proper imports and annotations. The examples cover real patterns (JwtAuthFilter, Bean Validation DTOs, CORS config, rate limiting filter) and include both anti-patterns (BAD) and correct patterns (GOOD), making guidance highly concrete. | 3 / 3 |
Workflow Clarity | The skill provides a good release checklist at the end, but the sections are presented as independent topics rather than a sequenced workflow. There are no validation checkpoints or feedback loops for the security review process itself — e.g., no 'verify auth works before moving to authorization' or 'test CSRF configuration' steps. For a security review skill involving potentially destructive configuration changes, this is a gap. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear section headers, but it's monolithic — all content is inline with no references to external files for detailed topics like Vault integration, Bucket4j setup, or OWASP Dependency Check configuration. Given the breadth of topics covered, some sections (rate limiting, CORS, security headers) could be split into referenced files to keep the main skill leaner. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- ysyecust/everything-claude-code
- Commit
79cc4e3
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.