enabling-cmek-encryption
Enables Customer-Managed Encryption Keys (CMEK) on CockroachDB Cloud clusters with the Advanced plan and Advanced Security Add-on to give organizations control over data-at-rest encryption keys via their cloud provider's KMS. Use when enabling CMEK for compliance, rotating encryption keys, or verifying CMEK configuration.
85
81%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope, uses natural trigger terms including both acronyms and full phrases, and includes an explicit 'Use when' clause with concrete scenarios. The description is concise yet comprehensive, specifying prerequisites and covering the key actions a user would need.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: enabling CMEK on CockroachDB Cloud clusters, rotating encryption keys, and verifying CMEK configuration. Also specifies prerequisites (Advanced plan, Advanced Security Add-on) and the mechanism (cloud provider's KMS). | 3 / 3 |
Completeness | Clearly answers both 'what' (enables CMEK on CockroachDB Cloud clusters with specific plan requirements, giving control over encryption keys via KMS) and 'when' (explicit 'Use when' clause covering enabling CMEK for compliance, rotating keys, or verifying configuration). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'CMEK', 'Customer-Managed Encryption Keys', 'CockroachDB Cloud', 'KMS', 'data-at-rest encryption', 'rotating encryption keys', 'compliance'. These cover both acronyms and full terms users might use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a very specific niche: CMEK on CockroachDB Cloud clusters specifically. The combination of CockroachDB, CMEK, KMS, and the specific plan requirements makes it extremely unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured operational skill with clear sequencing and good safety/rollback guidance for a destructive operation. Its main weakness is that the most critical step (Step 3 — actually configuring CMEK) defers to external documentation instead of providing the concrete key-spec JSON, undermining actionability at the crucial moment. The content is moderately concise but could be tightened by removing the introductory restatements and potentially splitting cloud-provider-specific instructions into separate files.
Suggestions
Provide the actual key-spec JSON structure for each cloud provider in Step 3 instead of deferring to external documentation — this is the core action and must be copy-paste ready.
Remove or significantly trim the 'When to Use This Skill' section — these are obvious use cases that don't add value for Claude.
Consider splitting the AWS/GCP/Azure subsections into separate reference files (e.g., cmek-aws.md, cmek-gcp.md, cmek-azure.md) and referencing them from the main skill to improve progressive disclosure and reduce inline length.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient but includes some unnecessary content. The 'When to Use This Skill' section lists obvious use cases, the introductory paragraph restates the description, and some explanations (like what CMEK gives organizations) are padding. The prerequisites section is appropriately detailed given the complexity, but overall could be tightened by ~20%. | 2 / 3 |
Actionability | Provides concrete CLI commands for KMS key creation and verification, but Step 3 (the core action of enabling CMEK) is vague — it says 'Refer to the CockroachDB Cloud documentation for the exact JSON structure' instead of providing the actual key-spec JSON format for each provider. This is the most critical step and it's incomplete. The SQL verification commands are concrete and useful. | 2 / 3 |
Workflow Clarity | Steps are clearly sequenced from eligibility verification through key creation, configuration, verification, and testing. Includes explicit validation checkpoints (Step 4 verifies CMEK status, Step 5 tests key accessibility with a concrete read/write test). Safety considerations and rollback sections provide error recovery guidance. The feedback loop for plan eligibility issues is clear. | 3 / 3 |
Progressive Disclosure | References a bundle file 'references/ccloud-commands.md' that doesn't exist in the bundle, and the References section links to external docs appropriately. However, the skill is quite long (~150+ lines) with all three cloud provider instructions inline. The AWS/GCP/Azure subsections could be split into separate reference files to keep the main skill leaner, with only the relevant provider path followed. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- cockroachlabs/cockroachdb-skills
- Commit
84bc1e4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.