Name: tessl-labs/springboot-security-basics
Rating: 88.6 (1 reviews)
Author: tessl-labs

Blog Docs Log in Get started

tessl-labs/springboot-security-basics

Security defaults that belong in every Spring Boot application from day one.

1.79x

Quality

83%

Does it follow best practices?

Impact

97%

1.79x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a highly actionable Spring Boot security skill with excellent concrete examples and clear WRONG/RIGHT patterns that make correct implementation unambiguous. The main weaknesses are verbosity (some explanations could be trimmed, checklist duplicates content) and the monolithic structure that could benefit from progressive disclosure to separate reference material. The workflow clarity is strong for a configuration-focused skill.

Suggestions

Trim redundant explanations - the WRONG examples often include commentary that Claude doesn't need (e.g., 'catastrophic if database is breached' is obvious)

Move the complete RateLimitFilter implementation and GlobalExceptionHandler to separate reference files, keeping only minimal examples in SKILL.md

Remove or significantly condense the final checklist since it duplicates the '7 Things' list and section content

Dimension	Reasoning	Score
Conciseness	The skill is comprehensive but includes some redundancy (e.g., repeating 'WRONG/RIGHT' patterns extensively, explaining why deprecated patterns are deprecated). The checklist at the end duplicates information already covered in detail. Could be tightened by ~30% without losing clarity.	2 / 3
Actionability	Excellent actionability with fully executable, copy-paste ready code examples throughout. Every section provides concrete Java code with proper imports implied, specific annotations, and complete configuration snippets. The WRONG/RIGHT pattern makes correct implementation unambiguous.	3 / 3
Workflow Clarity	Clear structure with numbered sections covering each security requirement. The checklist at the end provides explicit validation steps. The 'When to apply this skill' section establishes clear triggers. For a configuration-focused skill (not a multi-step process), the organization is excellent.	3 / 3
Progressive Disclosure	The skill is monolithic at ~400 lines with all content inline. References to verifiers at the end are good, but the main content could benefit from splitting detailed examples (like the complete RateLimitFilter implementation) into separate reference files, keeping SKILL.md as a concise overview.	2 / 3
	Total	10 / 12 Passed

Description

85%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly articulates specific security capabilities and provides explicit guidance on when to apply them. The proactive trigger ('do not wait for a security review') is particularly effective for ensuring the skill activates appropriately. The main weakness is reliance on technical jargon over natural user language.

Suggestions

Add natural language trigger terms users might say, such as 'secure my Spring app', 'add authentication', 'protect my API endpoints', or 'security best practices'

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: SecurityFilterChain, CORS, CSRF handling, BCrypt passwords, rate limiting, security headers, method-level security, and input validation. These are all concrete, actionable security implementations.	3 / 3
Completeness	Clearly answers both what (security defaults including specific implementations) AND when ('whenever you create or modify any Spring Boot app -- do not wait for a security review or explicit request'). The trigger guidance is explicit and actionable.	3 / 3
Trigger Term Quality	Includes technical terms like 'Spring Boot', 'SecurityFilterChain', 'CORS', 'CSRF', 'BCrypt' which are relevant but somewhat jargon-heavy. Missing more natural user phrases like 'secure my app', 'add authentication', 'protect endpoints'.	2 / 3
Distinctiveness Conflict Risk	Clearly scoped to Spring Boot security specifically with distinct technical triggers. The combination of 'Spring Boot' + security-specific terms creates a clear niche unlikely to conflict with general security or other framework skills.	3 / 3
	Total	11 / 12 Passed

Validation

81%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 9 / 11 Passed

Validation for skill structure

Criteria	Description	Result
skill_md_line_count	SKILL.md is long (564 lines); consider splitting into references/ and linking	Warning
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	9 / 11 Passed

Reviewed

3 months ago

Table of Contents

Discovery Implementation Validation