oauth2-skill
Implement OAuth2 authentication flows (authorization code, PKCE for SPAs), provider integration (Google, GitHub), callback handling, token exchange, session management, and CSRF protection.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./auth/oauth2-skill/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at listing specific, concrete OAuth2 capabilities and is clearly distinguishable from other skills. However, it lacks explicit trigger guidance ('Use when...') and misses common user-facing terms like 'social login' or 'sign in with Google' that users would naturally say when needing this skill.
Suggestions
Add a 'Use when...' clause with explicit triggers, e.g., 'Use when implementing social login, third-party authentication, or when users mention OAuth, login with Google/GitHub, or SSO.'
Include natural user-facing terms like 'social login', 'sign in with Google', 'third-party login', 'SSO' alongside the technical OAuth2 terminology.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: OAuth2 flows (authorization code, PKCE), provider integration (Google, GitHub), callback handling, token exchange, session management, and CSRF protection. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with comprehensive capability listing, but lacks an explicit 'Use when...' clause or trigger guidance for when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Includes relevant technical terms like 'OAuth2', 'PKCE', 'Google', 'GitHub', 'token exchange', but missing common user variations like 'login with Google', 'social login', 'sign in', 'SSO', or 'authentication'. | 2 / 3 |
Distinctiveness Conflict Risk | OAuth2-specific terminology and named providers (Google, GitHub) create a clear niche that is unlikely to conflict with general authentication or other security skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable OAuth2 skill with complete, executable code examples covering Google and GitHub providers with PKCE. The main weaknesses are the lack of explicit workflow documentation with validation checkpoints for debugging OAuth failures, and the monolithic structure that could benefit from better progressive disclosure through file references.
Suggestions
Add an explicit numbered workflow section showing the OAuth2 flow steps with validation checkpoints (e.g., 'Verify state matches before token exchange', 'Check token response status before fetching user info')
Include error handling guidance with specific troubleshooting steps for common OAuth failures (invalid state, token exchange errors, missing email)
Consider moving the Python variant to a separate referenced file to reduce main skill length and improve progressive disclosure
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with good code examples, but includes some unnecessary elements like the Python variant that adds length without being essential, and some explanatory comments that Claude would understand implicitly. | 2 / 3 |
Actionability | Provides fully executable TypeScript and Python code with complete implementations for OAuth2 flows, PKCE generation, token exchange, and user linking. Code is copy-paste ready with proper imports and type definitions. | 3 / 3 |
Workflow Clarity | The OAuth flow is implicit in the code structure but lacks explicit step-by-step workflow documentation. No validation checkpoints are provided for debugging failed OAuth flows or verifying token exchange success before proceeding. | 2 / 3 |
Progressive Disclosure | Content is reasonably organized with clear sections, but the skill is monolithic with all code inline. Integration notes reference other skills but the main content could benefit from splitting provider configs and service code into referenced files. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- achreftlili/deep-dev-skills
- Commit
181fcbc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.