g14wxz/vault-secrets-pattern
Enforces pgsodium Vault for secret storage accessed only via SECURITY DEFINER functions on service_role.
100
100%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (pgsodium Vault configuration, SECURITY DEFINER function creation), includes natural trigger terms users would use when needing this skill, and provides explicit 'Use when' guidance. It occupies a well-defined niche at the intersection of Supabase, pgsodium, and secret management, making it highly distinguishable from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: configures pgsodium Vault extension, creates SECURITY DEFINER functions assigned to service_role, eliminates hardcoded secrets. These are precise, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (configures pgsodium Vault, creates SECURITY DEFINER functions, eliminates hardcoded secrets) and 'when' with an explicit 'Use when...' clause listing four trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'API keys', 'secrets', 'Supabase', 'pgsodium Vault', 'hardcoded credentials', 'Vault references'. Good coverage of both technical terms and common user language like 'storing API keys' and 'managing secrets'. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: pgsodium Vault in Supabase context, SECURITY DEFINER functions with service_role. The combination of Supabase + pgsodium + Vault is very specific and unlikely to conflict with generic secret management or database skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
100%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is an excellent skill that is lean, fully actionable, and well-structured for a security-sensitive database operation. The phased workflow with explicit HALT conditions and security boundary validation demonstrates best practices. The only minor note is the dollar-quoting in the SQL block appears to use single `$` instead of `$$`, but this is a trivial formatting detail.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every line serves a purpose—no explanations of what pgsodium is, what Vault does conceptually, or how SQL works. The content assumes Claude knows these things and jumps straight to actionable steps. | 3 / 3 |
Actionability | Provides fully executable SQL commands for validation queries, secret insertion, function creation with exact GRANT/REVOKE statements, and verification queries. The SQL block is copy-paste ready and complete. | 3 / 3 |
Workflow Clarity | Five clearly sequenced phases with explicit HALT conditions at validation failures, a security boundary check (Phase 4) that acts as a feedback loop, and a final verification checklist. The anon-access test with 'HALT if succeeds' is an excellent validation checkpoint for a security-sensitive operation. | 3 / 3 |
Progressive Disclosure | This is a focused, single-purpose skill under 80 lines with no need for external references. The content is well-organized into logical phases with clear headers, making navigation straightforward. | 3 / 3 |
Total | 12 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
Reviewed
Table of Contents