simon/skills
Auto-generated tile from GitHub (10 skills)
92
1.16x
Quality
94%
Does it follow best practices?
Impact
92%
1.16xAverage score across 44 eval scenarios
Securityby
Advisory
Suggest reviewing before use
criteria.jsonevals/scenario-9/
{
"context": "Tests whether the agent implements OAuth 2.0 with authorization code + PKCE in a Fastify application using the correct packages, security configuration, JWT validation requirements, and token storage practices specified in the skill.",
"type": "weighted_checklist",
"checklist": [
{
"name": "@fastify/oauth2 used",
"description": "The implementation imports or installs '@fastify/oauth2' (not a different OAuth library like 'simple-oauth2' or 'passport')",
"max_score": 10
},
{
"name": "PKCE S256 configured",
"description": "The OAuth plugin registration includes pkce: 'S256' (not 'plain' or absent)",
"max_score": 10
},
{
"name": "fastify-plugin wrapper used",
"description": "The OAuth plugin file wraps the async function with fp() from 'fastify-plugin'",
"max_score": 8
},
{
"name": "JWT validates exp claim",
"description": "The JWT verification middleware explicitly checks the 'exp' (expiration) claim and rejects expired tokens",
"max_score": 8
},
{
"name": "JWT validates iss claim",
"description": "The JWT verification middleware explicitly checks the 'iss' (issuer) claim",
"max_score": 8
},
{
"name": "JWT validates aud claim",
"description": "The JWT verification middleware explicitly checks the 'aud' (audience) claim",
"max_score": 8
},
{
"name": "Asymmetric signing used",
"description": "JWT is configured to use RS256 or ES256 (NOT HS256) for token verification",
"max_score": 8
},
{
"name": "Tokens not in localStorage",
"description": "The implementation does NOT store tokens in localStorage — tokens are stored in server-side session or HttpOnly cookies",
"max_score": 10
},
{
"name": "No implicit flow",
"description": "The code does NOT use response_type=token or the OAuth implicit flow — uses authorization code flow only",
"max_score": 10
},
{
"name": "Refresh token rotation",
"description": "The refresh token handler replaces the stored refresh token with the newly issued one (using newToken.token.refresh_token ?? oldRefreshToken pattern)",
"max_score": 10
},
{
"name": "State validation present",
"description": "The implementation includes state generation and validation functions to prevent CSRF",
"max_score": 10
}
]
}evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31
scenario-32
scenario-33
scenario-34
scenario-35
scenario-36
scenario-37
scenario-38
scenario-39
scenario-40
scenario-41
scenario-42
scenario-43
scenario-44
skills
documentation
fastify
init
linting-neostandard-eslint9
node
nodejs-core
rules
build-system.mdchild-process-internals.mdcommit-messages.mdcontributing.mdcrypto-internals.mddebugging-native.mdfs-internals.mdlibuv-async-io.mdlibuv-event-loop.mdlibuv-thread-pool.mdmemory-debugging.mdnapi.mdnative-memory.mdnet-internals.mdnode-addon-api.mdprofiling-v8.mdstreams-internals.mdv8-garbage-collection.mdv8-hidden-classes.mdv8-jit-compilation.mdworker-threads-internals.md
oauth
octocat
snipgrapher