tdg-personal/springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
67
67%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
54%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description effectively identifies its niche domain (Spring Security in Java Spring Boot) and includes strong trigger terms that developers would naturally use. However, it lacks concrete action verbs describing what the skill actually does and critically omits any 'Use when...' guidance, making it incomplete for skill selection purposes.
Suggestions
Add a 'Use when...' clause specifying triggers, e.g., 'Use when the user asks about securing Spring Boot endpoints, configuring authentication/authorization, handling CSRF tokens, or reviewing security configurations.'
Replace 'best practices' with specific actions, e.g., 'Reviews and configures authentication flows, authorization rules, CSRF protection, security headers, and secret management in Java Spring Boot services.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Spring Security) and lists several topic areas (authn/authz, validation, CSRF, secrets, headers, rate limiting, dependency security), but these are categories rather than concrete actions. It says 'best practices' but doesn't specify what actions it performs (e.g., 'configures CSRF protection', 'reviews authentication code'). | 2 / 3 |
Completeness | The description answers 'what' at a high level (best practices for various security topics) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also weak (no concrete actions), so this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Spring Security', 'authn/authz', 'CSRF', 'rate limiting', 'secrets', 'headers', 'Java Spring Boot', 'dependency security', 'validation'. These cover a good range of terms a developer would naturally use when seeking security guidance. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Spring Security', 'Java Spring Boot', and the specific security topics (CSRF, authn/authz, rate limiting) creates a clear niche that is unlikely to conflict with other skills. It's distinctly about security in the Spring Boot ecosystem. | 3 / 3 |
Total | 9 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a comprehensive and highly actionable Spring Security reference with excellent executable code examples and clear BAD/GOOD comparisons. Its main weaknesses are its monolithic length (could benefit from splitting into referenced sub-files) and the lack of explicit validation/verification workflows — it reads more as a reference catalog than a guided security review process. Trimming boilerplate code that Claude could generate from brief instructions would improve token efficiency.
Suggestions
Split detailed sections (Rate Limiting, CORS, JWT Auth) into separate referenced files to improve progressive disclosure and reduce the main file's token footprint.
Add explicit verification steps after key configurations, e.g., 'After configuring security headers, verify with: curl -I https://localhost:8080/api/health and check for Content-Security-Policy header.'
Reduce boilerplate in code examples — for the JWT filter and rate limit filter, a shorter skeleton with key lines highlighted would suffice since Claude can generate the full implementation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly efficient with good use of code examples and bullet points, but it's quite long (~200+ lines) and some sections like the JWT filter and rate limiting filter include boilerplate that Claude could generate from a brief instruction. The BAD/GOOD pattern comparisons add value but also add length. | 2 / 3 |
Actionability | Excellent actionability throughout — nearly every section includes fully executable Java code, YAML configuration, or concrete annotations. The BAD/GOOD comparisons for SQL injection, input validation, and secrets management are particularly effective and copy-paste ready. | 3 / 3 |
Workflow Clarity | The skill covers many security topics clearly but lacks a sequenced workflow with validation checkpoints. The 'Checklist Before Release' is helpful but is a static checklist rather than a step-by-step process with feedback loops. For a security review skill involving potentially destructive configuration changes, explicit validation steps (e.g., 'test auth after configuring, verify headers with curl') would strengthen this. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear section headers, but it's monolithic — all content is inline in a single file. Several sections (Rate Limiting, CORS, Security Headers) could be referenced as separate files. No external references or links to deeper documentation are provided despite the breadth of topics covered. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents