Name: tdg-personal/django-security
Rating: 54.400000000000006 (1 reviews)
Author: tdg-personal

tdg-personal/django-security

Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.

Quality

68%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

42%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides comprehensive, executable Django security code examples covering all major vulnerability categories, which is its primary strength. However, it is far too verbose for a skill file — it reads more like a tutorial or reference manual than a concise instruction set for Claude. The lack of progressive disclosure (everything in one file) and missing workflow sequencing (no `manage.py check --deploy` validation step, no deployment order) significantly reduce its effectiveness as a skill.

Suggestions

Reduce content to ~100 lines by keeping only the production settings block, the security checklist, and brief one-liner references for each topic, moving detailed examples to separate files (e.g., AUTHENTICATION.md, XSS_PREVENTION.md, API_SECURITY.md).

Add a sequenced deployment security workflow with explicit validation: run `python manage.py check --deploy`, verify settings, then deploy — with a feedback loop for fixing flagged issues.

Remove explanatory comments Claude already knows (e.g., '# CRITICAL: Never use True in production', '# Django auto-escapes variables by default - SAFE') and trust Claude's existing Django knowledge.

Cut the full AJAX CSRF cookie-fetching JavaScript snippet and the verbose RBAC model example — these are standard patterns that add bulk without security-specific insight.

Dimension	Reasoning	Score
Conciseness	Extremely verbose at ~400+ lines. Explains many concepts Claude already knows (what CSRF is, how Django ORM escaping works, basic permission patterns). Includes boilerplate code like the full AJAX cookie-fetching function and verbose model definitions that don't add security-specific value. The closing 'Security is a process, not a product' platitude is unnecessary.	1 / 3
Actionability	Provides fully executable, copy-paste ready code examples throughout — production settings, custom user models, permission classes, file validators, rate limiting configs, logging setup. Code is concrete and specific with real Django imports and patterns.	3 / 3
Workflow Clarity	The checklist at the end provides a summary but there's no clear sequenced workflow for securing a Django app (e.g., 'do this first, then validate, then deploy'). Individual sections are clear but lack validation checkpoints — for instance, no mention of running `python manage.py check --deploy` to verify security settings, which is Django's built-in security validation tool.	2 / 3
Progressive Disclosure	Monolithic wall of content with no references to external files. All topics (auth, CSRF, XSS, SQL injection, file uploads, API security, CSP, logging) are inlined in a single massive document. This would benefit greatly from splitting into focused sub-files with a concise overview in the main SKILL.md.	1 / 3
	Total	7 / 12 Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This description excels at listing specific Django security capabilities with strong, natural trigger terms that developers would use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others. Adding trigger guidance would elevate this from a good description to an excellent one.

Suggestions

Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about securing a Django application, hardening Django settings, or preventing common web vulnerabilities like CSRF, XSS, or SQL injection in Django.'

Consider mentioning related file types or settings files (e.g., 'settings.py', 'middleware configuration') to further strengthen trigger matching for deployment-related queries.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions/topics: authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations. These are clearly defined security domains.	3 / 3
Completeness	The 'what' is well covered with specific security topics, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. Per rubric guidelines, this caps completeness at 2.	2 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'Django security', 'authentication', 'authorization', 'CSRF', 'SQL injection', 'XSS', 'secure deployment'. These are terms developers naturally use when seeking help with Django security.	3 / 3
Distinctiveness Conflict Risk	The combination of 'Django' with specific security concerns (CSRF, SQL injection, XSS) creates a clear niche. It is unlikely to conflict with general Django skills or generic security skills due to the specificity of the domain intersection.	3 / 3
	Total	11 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
skill_md_line_count	SKILL.md is long (594 lines); consider splitting into references/ and linking	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	9 / 11 Passed

Reviewed

2 months ago

Table of Contents

Discovery Implementation Validation