CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/express-security-basics

Security defaults that belong in every Express application from day one.

93

6.18x
Quality

90%

Does it follow best practices?

Impact

99%

6.18x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong, highly actionable skill with excellent executable examples and clear WRONG/RIGHT contrasts that make it immediately useful. The workflow and middleware ordering are explicit and well-documented. However, the skill is verbose for its purpose—some explanations of what headers do or why certain flags matter could be trimmed, and the monolithic structure could benefit from splitting detailed sections into referenced files.

Suggestions

Trim explanations of concepts Claude already knows (e.g., what httpOnly does, what each Helmet header prevents) to reduce token count by ~30%

Consider splitting detailed sections (rate limiting with Redis, session security) into separate referenced files to improve progressive disclosure

Remove or condense the bullet list of all Helmet headers—Claude doesn't need to know all 11 headers, just that Helmet adds sensible defaults

DimensionReasoningScore

Conciseness

The skill is comprehensive but includes some unnecessary explanation (e.g., listing all Helmet headers, explaining what each cookie flag does). While mostly efficient, it could be tightened by assuming Claude knows basic security concepts.

2 / 3

Actionability

Excellent actionability with fully executable code examples throughout. Every section includes copy-paste ready TypeScript/JavaScript with correct imports, and contrasts WRONG vs RIGHT patterns clearly.

3 / 3

Workflow Clarity

Clear middleware order section explicitly sequences all 8 steps. The checklist provides validation checkpoints, and the WRONG/RIGHT pattern throughout creates implicit feedback loops for error recognition.

3 / 3

Progressive Disclosure

Content is well-organized with clear sections and a final checklist, but the skill is monolithic (~400 lines) with detailed content that could be split into separate files (e.g., rate-limiting.md, cors.md). References to verifiers at the end are good but inline content is heavy.

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly defines its scope (Express security middleware), lists specific capabilities (six named middleware), and provides explicit trigger conditions (creating/modifying Express apps, using express.json()). The description uses proper third-person voice and includes natural developer terminology that would facilitate accurate skill selection.

DimensionReasoningScore

Specificity

Lists six specific concrete security middleware: CORS, Helmet, rate limiting, trust proxy, input limits, and secure error handling. Also mentions the specific trigger 'app.use(express.json())' as a concrete action point.

3 / 3

Completeness

Clearly answers WHAT (six specific security middleware) and WHEN ('whenever you create or modify any Express app', 'If you are writing app.use(express.json())'). The explicit trigger guidance is strong and actionable.

3 / 3

Trigger Term Quality

Includes natural terms users would encounter: 'Express', 'CORS', 'Helmet', 'rate limiting', 'middleware', 'express.json()', 'security'. These are terms developers naturally use when working with Express security.

3 / 3

Distinctiveness Conflict Risk

Highly specific to Express.js security middleware with clear niche. The combination of 'Express', specific middleware names, and the 'express.json()' trigger makes it unlikely to conflict with general security or other framework skills.

3 / 3

Total

12

/

12

Passed

Validation

90%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation10 / 11 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

10

/

11

Passed

Reviewed

Table of Contents

DiscoveryImplementationValidation