Name: tessl-labs/go-security-basics
Rating: 89.4 (1 reviews)
Author: tessl-labs

tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

1.32x

Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a highly actionable and well-structured security skill with excellent executable code examples and clear WRONG/RIGHT patterns. The workflow is clear with proper middleware ordering and a comprehensive checklist. However, the document is verbose and could be more concise by trimming explanatory prose and potentially splitting detailed implementations into referenced files.

Suggestions

Trim explanatory prose that Claude already knows (e.g., remove analogies like 'the same way you would not ship a car without seatbelts', remove 'What each header does' explanations)

Consider splitting detailed implementations (rate limiter struct, CSRF middleware) into separate reference files, keeping SKILL.md as a concise overview with links

Reduce redundancy in the WRONG examples - a single brief anti-pattern per section would suffice rather than multiple verbose examples

Dimension	Reasoning	Score
Conciseness	The skill is comprehensive but verbose in places, with some explanatory text that Claude would already know (e.g., 'the same way you would not ship a car without seatbelts'). The WRONG/RIGHT pattern is useful but adds length; some sections could be tightened.	2 / 3
Actionability	Excellent actionability with fully executable, copy-paste ready code examples for all 10 security requirements. Each section includes concrete Go code with proper imports, specific package names, and real implementation patterns.	3 / 3
Workflow Clarity	Clear sequencing with the middleware wiring order section explicitly showing how to compose all pieces. The checklist at the end provides validation checkpoints, and the WRONG/RIGHT pattern makes the correct approach unambiguous.	3 / 3
Progressive Disclosure	The skill is a long monolithic document (~500 lines) that could benefit from splitting detailed implementations into separate files. References to verifiers are present but the main content is all inline rather than appropriately distributed.	2 / 3
	Total	10 / 12 Passed

Description

85%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that excels at specificity and completeness, clearly listing ten concrete security capabilities and explicitly stating when to apply them. The main weakness is trigger term quality - while technically accurate, the terms are more developer jargon than natural user language, which could reduce discoverability when users ask for help in more casual terms.

Suggestions

Add natural language trigger terms users might say, such as 'secure my Go API', 'harden my web server', 'add security to my Go app', or 'protect against attacks'

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: CORS, security headers, rate limiting, input validation, SQL injection prevention, CSRF protection, TLS configuration, secrets management, graceful shutdown, and request timeouts.	3 / 3
Completeness	Clearly answers both what (security defaults including CORS, headers, rate limiting, etc.) AND when ('whenever you create or modify any Go web service -- do not wait for a security review or explicit request').	3 / 3
Trigger Term Quality	Includes relevant technical terms like 'Go HTTP server', 'CORS', 'rate limiting', 'SQL injection', but these are more technical jargon than natural user language. Missing common variations like 'web app', 'API security', 'secure my server'.	2 / 3
Distinctiveness Conflict Risk	Clear niche targeting Go HTTP servers specifically with security focus. The combination of 'Go' + 'HTTP server' + 'security' creates a distinct trigger profile unlikely to conflict with general Go skills or general security skills.	3 / 3
	Total	11 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
skill_md_line_count	SKILL.md is long (653 lines); consider splitting into references/ and linking	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	9 / 11 Passed

Reviewed

3 months ago

Table of Contents

Discovery Implementation Validation