springboot-security

Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.

Quality

59%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/springboot-security/SKILL.md

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a comprehensive and highly actionable Spring Security reference with excellent executable code examples and clear BAD/GOOD comparisons. Its main weaknesses are its monolithic length (could benefit from splitting into referenced sub-files) and the lack of explicit validation/verification workflows — it reads more as a reference catalog than a guided security review process. Trimming boilerplate code that Claude could generate from brief instructions would improve token efficiency.

Suggestions

Split detailed sections (Rate Limiting, CORS, JWT Auth) into separate referenced files to improve progressive disclosure and reduce the main file's token footprint.

Add explicit verification steps after key configurations, e.g., 'After configuring security headers, verify with: curl -I https://localhost:8080/api/health and check for Content-Security-Policy header.'

Reduce boilerplate in code examples — for the JWT filter and rate limit filter, a shorter skeleton with key lines highlighted would suffice since Claude can generate the full implementation.

Dimension	Reasoning	Score
Conciseness	The skill is fairly efficient with good use of code examples and bullet points, but it's quite long (~200+ lines) and some sections like the JWT filter and rate limiting filter include boilerplate that Claude could generate from a brief instruction. The BAD/GOOD pattern comparisons add value but also add length.	2 / 3
Actionability	Excellent actionability throughout — nearly every section includes fully executable Java code, YAML configuration, or concrete annotations. The BAD/GOOD comparisons for SQL injection, input validation, and secrets management are particularly effective and copy-paste ready.	3 / 3
Workflow Clarity	The skill covers many security topics clearly but lacks a sequenced workflow with validation checkpoints. The 'Checklist Before Release' is helpful but is a static checklist rather than a step-by-step process with feedback loops. For a security review skill involving potentially destructive configuration changes, explicit validation steps (e.g., 'test auth after configuring, verify headers with curl') would strengthen this.	2 / 3
Progressive Disclosure	The content is well-organized with clear section headers, but it's monolithic — all content is inline in a single file. Several sections (Rate Limiting, CORS, Security Headers) could be referenced as separate files. No external references or links to deeper documentation are provided despite the breadth of topics covered.	2 / 3
	Total	9 / 12 Passed

Description

54%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description effectively identifies its niche domain (Spring Security in Java Spring Boot) and includes strong trigger terms that developers would naturally use. However, it lacks concrete action verbs describing what the skill actually does and critically omits any 'Use when...' guidance, making it incomplete for skill selection purposes.

Suggestions

Add a 'Use when...' clause specifying triggers, e.g., 'Use when the user asks about securing Spring Boot endpoints, configuring authentication/authorization, handling CSRF tokens, or reviewing security configurations.'

Replace 'best practices' with specific actions, e.g., 'Reviews and configures authentication flows, authorization rules, CSRF protection, security headers, and secret management in Java Spring Boot services.'

Dimension	Reasoning	Score
Specificity	The description names the domain (Spring Security) and lists several topic areas (authn/authz, validation, CSRF, secrets, headers, rate limiting, dependency security), but these are categories rather than concrete actions. It says 'best practices' but doesn't specify what actions it performs (e.g., 'configures CSRF protection', 'reviews authentication code').	2 / 3
Completeness	The description answers 'what' at a high level (best practices for various security topics) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also weak (no concrete actions), so this scores a 1.	1 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'Spring Security', 'authn/authz', 'CSRF', 'rate limiting', 'secrets', 'headers', 'Java Spring Boot', 'dependency security', 'validation'. These cover a good range of terms a developer would naturally use when seeking security guidance.	3 / 3
Distinctiveness Conflict Risk	The combination of 'Spring Security', 'Java Spring Boot', and the specific security topics (CSRF, authn/authz, rate limiting) creates a clear niche that is unlikely to conflict with other skills. It's distinctly about security in the Spring Boot ecosystem.	3 / 3
	Total	9 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: ysyecust/everything-claude-code
Commit: 79cc4e3

Reviewed: 3 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.