tessl-labs/go-security-basics
Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.
89
83%
Does it follow best practices?
Impact
99%
1.32xAverage score across 5 eval scenarios
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that excels at specificity and completeness, clearly listing ten concrete security capabilities and explicitly stating when to apply them. The main weakness is trigger term quality - while technically accurate, the terms are more developer jargon than natural user language, which could reduce discoverability when users ask for help in more casual terms.
Suggestions
Add natural language trigger terms users might say, such as 'secure my Go API', 'harden my web server', 'add security to my Go app', or 'protect against attacks'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: CORS, security headers, rate limiting, input validation, SQL injection prevention, CSRF protection, TLS configuration, secrets management, graceful shutdown, and request timeouts. | 3 / 3 |
Completeness | Clearly answers both what (security defaults including CORS, headers, rate limiting, etc.) AND when ('whenever you create or modify any Go web service -- do not wait for a security review or explicit request'). | 3 / 3 |
Trigger Term Quality | Includes relevant technical terms like 'Go HTTP server', 'CORS', 'rate limiting', 'SQL injection', but these are more technical jargon than natural user language. Missing common variations like 'web app', 'API security', 'secure my server'. | 2 / 3 |
Distinctiveness Conflict Risk | Clear niche targeting Go HTTP servers specifically with security focus. The combination of 'Go' + 'HTTP server' + 'security' creates a distinct trigger profile unlikely to conflict with general Go skills or general security skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a highly actionable and well-structured security skill with excellent executable code examples and clear WRONG/RIGHT patterns. The workflow is clear with proper middleware ordering and a comprehensive checklist. However, the document is verbose and could be more concise by trimming explanatory prose and potentially splitting detailed implementations into referenced files.
Suggestions
Trim explanatory prose that Claude already knows (e.g., remove analogies like 'the same way you would not ship a car without seatbelts', remove 'What each header does' explanations)
Consider splitting detailed implementations (rate limiter struct, CSRF middleware) into separate reference files, keeping SKILL.md as a concise overview with links
Reduce redundancy in the WRONG examples - a single brief anti-pattern per section would suffice rather than multiple verbose examples
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but verbose in places, with some explanatory text that Claude would already know (e.g., 'the same way you would not ship a car without seatbelts'). The WRONG/RIGHT pattern is useful but adds length; some sections could be tightened. | 2 / 3 |
Actionability | Excellent actionability with fully executable, copy-paste ready code examples for all 10 security requirements. Each section includes concrete Go code with proper imports, specific package names, and real implementation patterns. | 3 / 3 |
Workflow Clarity | Clear sequencing with the middleware wiring order section explicitly showing how to compose all pieces. The checklist at the end provides validation checkpoints, and the WRONG/RIGHT pattern makes the correct approach unambiguous. | 3 / 3 |
Progressive Disclosure | The skill is a long monolithic document (~500 lines) that could benefit from splitting detailed implementations into separate files. References to verifiers are present but the main content is all inline rather than appropriately distributed. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (653 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
Reviewed
Table of Contents