springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
Install with Tessl CLI
npx tessl i github:ysyecust/everything-claude-code --skill springboot-security73
Quality
67%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/springboot-security/SKILL.mdDiscovery
54%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively identifies its domain and includes strong technical trigger terms that developers would naturally use. However, it lacks explicit 'Use when...' guidance and describes topic areas rather than concrete actions Claude can perform, which limits its effectiveness for skill selection.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when implementing authentication, authorization, or security hardening in Spring Boot applications'
Convert topic categories into concrete actions, e.g., 'Implements authentication flows, configures authorization rules, hardens CSRF protection, manages secrets securely' instead of just listing security areas
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Spring Security) and lists several security areas (authn/authz, validation, CSRF, secrets, headers, rate limiting, dependency security), but these are topic categories rather than concrete actions like 'configure', 'implement', or 'audit'. | 2 / 3 |
Completeness | Describes what (Spring Security best practices for various security concerns) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. | 1 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Spring Security', 'authn/authz', 'CSRF', 'rate limiting', 'Java Spring Boot', 'secrets', 'headers'. These are terms developers naturally use when seeking security guidance. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with clear niche: specifically targets Spring Security in Java Spring Boot context. The combination of framework-specific terms (Spring Security, Spring Boot) with security domains creates a unique fingerprint unlikely to conflict with generic security or Java skills. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong security reference skill with excellent actionability and conciseness. The code examples are production-ready and cover the key Spring Security concerns comprehensively. The main weaknesses are the lack of explicit validation workflows for security configuration changes and the monolithic structure that could benefit from splitting advanced topics into referenced files.
Suggestions
Add a validation workflow section showing how to test security configurations before deployment (e.g., integration test examples, security audit commands)
Consider splitting detailed topics like Vault integration, Bucket4j setup, and OWASP Dependency Check into separate referenced files to improve progressive disclosure
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, providing direct guidance without explaining concepts Claude already knows. Each section jumps straight to actionable patterns with minimal preamble. | 3 / 3 |
Actionability | Provides fully executable Java code examples throughout, including complete filter implementations, configuration beans, and annotated controllers. Code is copy-paste ready with proper imports implied. | 3 / 3 |
Workflow Clarity | The checklist at the end provides good validation steps, but the individual sections lack explicit sequencing or feedback loops. For security configurations that can break applications, there's no validate-then-deploy workflow. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear section headers, but it's a monolithic document (~200 lines) with no references to external files for deeper topics like Vault integration or OWASP setup that could benefit from separate detailed guides. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.