tessl-labs/aspnet-security-basics
Security defaults that belong in every ASP.NET Core application from day one.
87
83%
Does it follow best practices?
Impact
94%
1.91xAverage score across 5 eval scenarios
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that excels in specificity and completeness, clearly listing concrete security features and providing explicit trigger conditions. The main weakness is trigger term quality - while it covers technical terms well, it could benefit from including more natural language phrases users might say when requesting security improvements.
Suggestions
Add natural language trigger terms like 'secure my ASP.NET app', 'add security to my web API', or 'protect my .NET application' to capture how users naturally request security features.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete security features: CORS, HTTPS redirection, HSTS, security headers, rate limiting, anti-forgery, authentication, authorization, Data Protection API, input validation, and Content Security Policy. | 3 / 3 |
Completeness | Clearly answers both what (security defaults including CORS, HTTPS, HSTS, etc.) and when ('whenever you create or modify any ASP.NET Core app', 'If you are writing builder.Services.AddControllers()'). Explicit trigger guidance is provided. | 3 / 3 |
Trigger Term Quality | Includes technical terms like 'ASP.NET Core', 'CORS', 'HSTS', 'security headers' which are relevant but may miss natural user phrases like 'secure my app', 'add security', or 'protect my API'. The trigger 'builder.Services.AddControllers()' is very specific but narrow. | 2 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with clear niche: ASP.NET Core security specifically. The combination of framework-specific terminology and comprehensive security feature list makes it unlikely to conflict with general security or other framework skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a highly actionable and well-structured security skill with excellent executable code examples and clear WRONG/RIGHT patterns. The workflow clarity is strong with explicit middleware ordering and a comprehensive checklist. However, the document is lengthy and could be more concise by reducing redundant emphasis on mandatory nature and splitting detailed subsections into referenced files.
Suggestions
Reduce repetitive emphasis on 'these are mandatory/not optional' - state it once clearly at the top and trust Claude to follow
Consider splitting detailed subsections (CSP configuration, FluentValidation setup, Data Protection API) into separate reference files with brief summaries in the main skill
Remove the car/seatbelt analogy and similar explanatory prose - the WRONG/RIGHT code patterns already communicate the importance effectively
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some unnecessary explanation (e.g., 'the same way you would not ship a car without seatbelts' analogy, repeated emphasis that these are mandatory). The WRONG/RIGHT pattern is useful but adds length; some sections could be tightened. | 2 / 3 |
Actionability | Excellent actionability with fully executable, copy-paste ready code examples for every security feature. Each section shows both wrong and right approaches with complete, working C# code including proper using statements and configuration. | 3 / 3 |
Workflow Clarity | Clear middleware pipeline order section explicitly shows the correct sequence. The checklist at the end provides validation checkpoints. Each section has clear before/after patterns showing what to avoid and what to implement. | 3 / 3 |
Progressive Disclosure | The skill is a monolithic document (~500 lines) that could benefit from splitting detailed sections (like CSP configuration, FluentValidation setup) into separate reference files. The verifiers section at the end references external files, but the main content is all inline. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (708 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
Reviewed
Table of Contents