tessl-labs/springboot-security-basics
Security defaults that belong in every Spring Boot application from day one.
88
83%
Does it follow best practices?
Impact
97%
1.79xAverage score across 5 eval scenarios
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific security capabilities and provides explicit guidance on when to apply them. The proactive trigger ('do not wait for a security review') is particularly effective for ensuring the skill activates appropriately. The main weakness is reliance on technical jargon over natural user language.
Suggestions
Add natural language trigger terms users might say, such as 'secure my Spring app', 'add authentication', 'protect my API endpoints', or 'security best practices'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: SecurityFilterChain, CORS, CSRF handling, BCrypt passwords, rate limiting, security headers, method-level security, and input validation. These are all concrete, actionable security implementations. | 3 / 3 |
Completeness | Clearly answers both what (security defaults including specific implementations) AND when ('whenever you create or modify any Spring Boot app -- do not wait for a security review or explicit request'). The trigger guidance is explicit and actionable. | 3 / 3 |
Trigger Term Quality | Includes technical terms like 'Spring Boot', 'SecurityFilterChain', 'CORS', 'CSRF', 'BCrypt' which are relevant but somewhat jargon-heavy. Missing more natural user phrases like 'secure my app', 'add authentication', 'protect endpoints'. | 2 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Spring Boot security specifically with distinct technical triggers. The combination of 'Spring Boot' + security-specific terms creates a clear niche unlikely to conflict with general security or other framework skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a highly actionable Spring Boot security skill with excellent concrete examples and clear WRONG/RIGHT patterns that make correct implementation unambiguous. The main weaknesses are verbosity (some explanations could be trimmed, checklist duplicates content) and the monolithic structure that could benefit from progressive disclosure to separate reference material. The workflow clarity is strong for a configuration-focused skill.
Suggestions
Trim redundant explanations - the WRONG examples often include commentary that Claude doesn't need (e.g., 'catastrophic if database is breached' is obvious)
Move the complete RateLimitFilter implementation and GlobalExceptionHandler to separate reference files, keeping only minimal examples in SKILL.md
Remove or significantly condense the final checklist since it duplicates the '7 Things' list and section content
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some redundancy (e.g., repeating 'WRONG/RIGHT' patterns extensively, explaining why deprecated patterns are deprecated). The checklist at the end duplicates information already covered in detail. Could be tightened by ~30% without losing clarity. | 2 / 3 |
Actionability | Excellent actionability with fully executable, copy-paste ready code examples throughout. Every section provides concrete Java code with proper imports implied, specific annotations, and complete configuration snippets. The WRONG/RIGHT pattern makes correct implementation unambiguous. | 3 / 3 |
Workflow Clarity | Clear structure with numbered sections covering each security requirement. The checklist at the end provides explicit validation steps. The 'When to apply this skill' section establishes clear triggers. For a configuration-focused skill (not a multi-step process), the organization is excellent. | 3 / 3 |
Progressive Disclosure | The skill is monolithic at ~400 lines with all content inline. References to verifiers at the end are good, but the main content could benefit from splitting detailed examples (like the complete RateLimitFilter implementation) into separate reference files, keeping SKILL.md as a concise overview. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (564 lines); consider splitting into references/ and linking | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
Reviewed
Table of Contents