mcollina/oauth
Implements OAuth 2.0/2.1 authorization flows in Fastify applications — configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, and token introspection/revocation endpoints. Use when setting up authentication, authorization, login flows, access tokens, API security, or securing Fastify routes with OAuth; also applies when troubleshooting token validation errors, mismatched redirect URIs, CSRF issues, scope problems, or RFC 6749/6750/7636/8252/8628 compliance questions.
94
95%
Does it follow best practices?
Impact
93%
1.40xAverage score across 5 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope (OAuth in Fastify), lists specific concrete capabilities, and provides comprehensive trigger terms covering both setup and troubleshooting scenarios. The explicit 'Use when...' clause with diverse trigger terms ensures Claude can accurately select this skill. The description is detailed without being padded, and uses proper third-person voice throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: configures authorization code with PKCE, client credentials, device flow, refresh token rotation, JWT validation, token introspection/revocation endpoints. Very detailed and actionable. | 3 / 3 |
Completeness | Clearly answers both 'what' (implements OAuth flows in Fastify with specific capabilities listed) and 'when' (explicit 'Use when...' clause covering setup scenarios and troubleshooting scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'authentication', 'authorization', 'login flows', 'access tokens', 'API security', 'OAuth', 'PKCE', 'redirect URIs', 'CSRF issues', 'scope problems', plus specific RFC numbers. Covers both beginner and expert terminology. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — scoped specifically to OAuth 2.0/2.1 in Fastify applications, with specific protocol details and RFC references. Unlikely to conflict with general auth skills or non-Fastify web framework skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable skill with well-sequenced steps, executable TypeScript code, and explicit validation checkpoints tied to RFC references. The security checklist and anti-patterns sections add high-value, dense information. Minor weaknesses include the redundant 'When to use' section and the lack of verifiable bundle files for the referenced advanced topics.
Suggestions
Remove or significantly trim the 'When to use' section since it largely duplicates the skill description in the frontmatter.
Provide the referenced bundle files (DEVICE_FLOW.md, TOKEN_VALIDATION.md, CLIENT_CREDENTIALS.md, MOBILE_OAUTH.md) or remove the references if they don't exist.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient with executable code and useful tables, but includes some unnecessary elements like the 'When to use' section (which restates the skill description) and a few inline comments that explain things Claude already knows (e.g., 'never log the raw token'). The security checklist and anti-patterns sections are concise and valuable. | 2 / 3 |
Actionability | Provides fully executable TypeScript code for each step — plugin registration, callback handling, JWT validation, route protection, and refresh token rotation. Code is copy-paste ready with real imports, types, and environment variable references. Specific npm install commands are included. | 3 / 3 |
Workflow Clarity | The 6-step workflow is clearly sequenced from dependency installation through route protection and token rotation. Explicit validation checkpoints are called out (redirect URI matching, JWT claim verification). The security checklist serves as a final verification step with RFC references. | 3 / 3 |
Progressive Disclosure | The 'Further implementation references' section cleanly points to four separate files for advanced topics (device flow, token validation, client credentials, mobile OAuth), which is good structure. However, no bundle files are provided, so these references are unverifiable. The main content is somewhat long (~150 lines of code+instructions) but the inline content is mostly justified for the primary auth code + PKCE flow. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata.version' is missing | Warning |
Total | 10 / 11 Passed | |
Reviewed
Table of Contents