tdg-personal/django-security
Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.
68
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at listing specific Django security capabilities with strong, natural trigger terms that developers would use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others. Adding trigger guidance would elevate this from a good description to an excellent one.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about securing a Django application, hardening Django settings, or preventing common web vulnerabilities like CSRF, XSS, or SQL injection in Django.'
Consider mentioning related file types or settings files (e.g., 'settings.py', 'middleware configuration') to further strengthen trigger matching for deployment-related queries.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions/topics: authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations. These are clearly defined security domains. | 3 / 3 |
Completeness | The 'what' is well covered with specific security topics, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. Per rubric guidelines, this caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Django security', 'authentication', 'authorization', 'CSRF', 'SQL injection', 'XSS', 'secure deployment'. These are terms developers naturally use when seeking help with Django security. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Django' with specific security concerns (CSRF, SQL injection, XSS) creates a clear niche. It is unlikely to conflict with general Django skills or generic security skills due to the specificity of the domain intersection. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides comprehensive, executable Django security code examples covering all major vulnerability categories, which is its primary strength. However, it is far too verbose for a skill file — it reads more like a tutorial or reference manual than a concise instruction set for Claude. The lack of progressive disclosure (everything in one file) and missing workflow sequencing (no `manage.py check --deploy` validation step, no deployment order) significantly reduce its effectiveness as a skill.
Suggestions
Reduce content to ~100 lines by keeping only the production settings block, the security checklist, and brief one-liner references for each topic, moving detailed examples to separate files (e.g., AUTHENTICATION.md, XSS_PREVENTION.md, API_SECURITY.md).
Add a sequenced deployment security workflow with explicit validation: run `python manage.py check --deploy`, verify settings, then deploy — with a feedback loop for fixing flagged issues.
Remove explanatory comments Claude already knows (e.g., '# CRITICAL: Never use True in production', '# Django auto-escapes variables by default - SAFE') and trust Claude's existing Django knowledge.
Cut the full AJAX CSRF cookie-fetching JavaScript snippet and the verbose RBAC model example — these are standard patterns that add bulk without security-specific insight.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Explains many concepts Claude already knows (what CSRF is, how Django ORM escaping works, basic permission patterns). Includes boilerplate code like the full AJAX cookie-fetching function and verbose model definitions that don't add security-specific value. The closing 'Security is a process, not a product' platitude is unnecessary. | 1 / 3 |
Actionability | Provides fully executable, copy-paste ready code examples throughout — production settings, custom user models, permission classes, file validators, rate limiting configs, logging setup. Code is concrete and specific with real Django imports and patterns. | 3 / 3 |
Workflow Clarity | The checklist at the end provides a summary but there's no clear sequenced workflow for securing a Django app (e.g., 'do this first, then validate, then deploy'). Individual sections are clear but lack validation checkpoints — for instance, no mention of running `python manage.py check --deploy` to verify security settings, which is Django's built-in security validation tool. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. All topics (auth, CSRF, XSS, SQL injection, file uploads, API security, CSP, logging) are inlined in a single massive document. This would benefit greatly from splitting into focused sub-files with a concise overview in the main SKILL.md. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (594 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
Reviewed
Table of Contents