CtrlK
BlogDocsLog inGet started
Tessl Logo

auth0-express

Use when adding session-based login, logout, or protected routes to an Express.js web application. Integrates express-openid-connect — use even if the user says "add login to my Express app" or "protect my Express routes".

70

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

72%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured, highly actionable skill body that keeps the overview lean and delegates depth to clearly signaled reference files. Its main weaknesses are minor redundancy (a pitfall repeated four times and a duplicated route handler) and a vague final verification step lacking an explicit feedback loop.

Suggestions

Consolidate the audience/authorizationParams guidance to one authoritative spot and cross-reference it, instead of restating it in Step 3a, the Step 3 blockquote, the Common Mistakes table, and the Quick Reference.

Remove one of the two app.get('/') handlers in Step 4 — they conflict (both register the root route) and confuse the example; keep a single public/index route.

Strengthen Step 5 into an explicit validation checkpoint: list the specific endpoints to hit (/login, /callback, /profile, /logout), expected outcomes, and a troubleshooting pointer to the Common Mistakes table for retry.

DimensionReasoningScore

Conciseness

Largely lean and free of concept over-explanation, but could be tightened: the audience/authorizationParams warning is repeated four times (Step 3a, the Step 3 blockquote, the Common Mistakes table, and Quick Reference), and Step 4 defines two conflicting app.get('/') handlers.

2 / 3

Actionability

Provides fully executable, copy-paste-ready guidance — 'npm install express-openid-connect dotenv', a complete .env block, a full auth({...}) middleware config, and concrete requiresAuth() route examples — rather than vague or pseudocode direction.

3 / 3

Workflow Clarity

The Quick Start is clearly sequenced into steps 1–5, but Step 5 ('Visit http://localhost:3000 and test the login flow') is an implicit, vague checkpoint with no validate→fix→retry feedback loop, leaving validation gaps.

2 / 3

Progressive Disclosure

SKILL.md acts as a concise overview pointing to three well-signaled, one-level-deep references (references/setup.md, integration.md, api.md — all real files that cross-link but do not nest 2+ levels deep), with details appropriately split out.

3 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that concretely states capabilities, gives natural user-facing trigger phrasings, and is tightly scoped to Express.js with express-openid-connect. It cleanly answers both what and when.

DimensionReasoningScore

Specificity

Names multiple concrete actions — 'adding session-based login, logout, or protected routes to an Express.js web application' — matching the 'lists multiple specific concrete actions' anchor rather than the domain-only level 2.

3 / 3

Completeness

Explicitly answers both what ('Integrates express-openid-connect' for login/logout/protected routes) and when ('Use when adding session-based login...'), with explicit trigger guidance.

3 / 3

Trigger Term Quality

Includes natural phrasings a user would actually say — 'add login to my Express app' and 'protect my Express routes' — giving good coverage of common variations, not just technical jargon.

3 / 3

Distinctiveness Conflict Risk

Narrowly scoped to 'Express.js web application' and a specific SDK ('Integrates express-openid-connect'), giving it a clear niche unlikely to trigger for non-Express or client-side auth skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

metadata_field

'metadata' should map string keys to string values

Warning

Total

15

/

16

Passed

Repository
auth0/agent-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.