g14wxz/service-role-boundary
Enforces strict isolation of service_role key to server-side contexts only.
97
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its scope around Supabase service_role key security. It lists specific concrete actions, includes natural trigger terms that developers would use, and has an explicit 'Use when' clause. The narrow, well-defined niche makes it highly distinguishable from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: enforcing service_role key isolation from client-side code, validating admin client isolation, privileged operations routing, and server-only key usage. | 3 / 3 |
Completeness | Clearly answers both what (enforces service_role key not exposed to client-side, validates admin client isolation, privileged operations routing, server-only key usage) and when (explicit 'Use when' clause covering admin operations, server-side Supabase clients, or auditing service_role key usage). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'service_role key', 'client-side code', 'admin operations', 'server-side Supabase clients', 'privileged operations'. These are terms a developer working with Supabase security would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche focused specifically on Supabase service_role key security and admin client isolation. The specific technology (Supabase) and security concern (service_role key exposure) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality security-focused skill with excellent actionability—concrete commands, executable code, and a clear framework reference table. The phased workflow with explicit HALT conditions is well-suited for a security audit task. Minor improvement could come from splitting framework-specific details into a reference file, but the current structure is effective and not overly long.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. Every section serves a clear purpose—no unnecessary explanations of what Supabase is, what service_role keys do conceptually, or other things Claude already knows. The framework-specific table is dense and informative without being verbose. | 3 / 3 |
Actionability | Provides executable grep/ripgrep commands for auditing, a complete TypeScript code example for the admin client with server-only import guard, a framework-specific reference table with concrete prefixes, and specific file paths. All guidance is copy-paste ready and concrete. | 3 / 3 |
Workflow Clarity | Four clearly sequenced phases with explicit HALT conditions (Phase 1 step 2, Phase 3 step 3) that act as validation checkpoints. The verification report checklist at the end provides a final validation gate. The workflow handles a security-sensitive operation with appropriate rigor. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear phases and a verification checklist, but everything is inline in a single file. The framework-specific notes and alternative patterns (Nuxt, SvelteKit) could be split into separate reference files to keep the main skill leaner, though the current length is manageable. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Reviewed
Table of Contents