credentials
Centralized API key management from Access.txt
40
38%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/credentials/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is too terse and vague, failing to list concrete actions or provide any 'Use when...' guidance. While 'API key' and 'Access.txt' offer some specificity, the lack of actionable detail and trigger clauses makes it difficult for Claude to reliably select this skill from a larger pool.
Suggestions
Add specific concrete actions such as 'Reads, stores, rotates, and validates API keys from Access.txt'.
Include a 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks about API keys, credentials, secrets, tokens, or references Access.txt'.
Add common keyword variations like 'credentials', 'secrets', 'tokens', 'authentication' to improve trigger term coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description is vague — 'centralized API key management' names a domain but does not list any concrete actions (e.g., read keys, rotate keys, validate keys). It is closer to abstract language than actionable specifics. | 1 / 3 |
Completeness | The description partially addresses 'what' (API key management) but provides no 'when' clause or explicit trigger guidance. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and the 'what' is also weak, so this scores a 1. | 1 / 3 |
Trigger Term Quality | It includes 'API key' and 'Access.txt' which are somewhat relevant trigger terms a user might mention, but it misses common variations like 'credentials', 'secrets', 'tokens', or 'authentication keys'. | 2 / 3 |
Distinctiveness Conflict Risk | 'Access.txt' adds some distinctiveness as a specific file reference, and 'API key management' narrows the domain, but it could still overlap with general secrets management or configuration skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
55%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is highly actionable with executable code, concrete validation commands, and a well-structured workflow with proper checkpoints. However, it is severely bloated — providing dual-language implementations, redundant sections (Quick Reference repeats earlier content), and inlining everything that should be in separate reference files. The content would benefit enormously from being split into a concise overview with references to detailed files for parsing logic, validation commands, and service-specific guides.
Suggestions
Remove either the Python or TypeScript parsing implementation (keep one, or move both to a separate PARSING.md reference file) to cut ~50 lines of duplication.
Move the validation commands and service-specific setup guides into separate reference files (e.g., VALIDATION.md, SERVICES.md) and link to them from the main skill.
Remove the Quick Reference section and Prompt Template — they largely duplicate content already present in the skill and are things Claude can generate without instruction.
Cut the Security Rules to a single line like '**Security**: Never commit keys or log unmasked values; always use .env + .gitignore' — Claude already understands these principles.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It provides both Python and TypeScript parsing implementations (redundant duplication), explains prompt templates Claude could generate on its own, includes service-specific setup guides with obvious information, and has a 'Quick Reference' section that largely repeats earlier content. The security rules section states things Claude already knows. | 1 / 3 |
Actionability | The skill provides fully executable code for parsing credentials in both Python and TypeScript, concrete curl commands for validation, specific regex patterns for key identification, and step-by-step commands for .env file creation. Everything is copy-paste ready. | 3 / 3 |
Workflow Clarity | The Project Setup Workflow section provides a clear 5-step sequence with explicit validation at Step 3, error reporting at Step 5, and a feedback loop for missing keys. The workflow includes verification (validate keys before use) and handles the failure case (missing credentials). | 3 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. The parsing code (both Python and TypeScript implementations), validation commands for each service, and service-specific setup guides could all be split into separate reference files. Everything is inlined in one massive document with no bundle files to support it. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- alinaqi/claude-bootstrap
- Commit
7e5f7a2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.