managing-certificates-and-encryption
Manages TLS certificate and encryption key lifecycle across all tiers. Self-Hosted covers certificate expiry monitoring, node/CA/client cert rotation, and Kubernetes cert management. Advanced/BYOC covers managed TLS (no action) and CMEK (Customer-Managed Encryption Key) rotation in your KMS. Standard and Basic have fully managed TLS and encryption with no customer action. CMEK is only available on Advanced. Use when monitoring cert health, performing rotation, managing CMEK, or responding to key compromise.
88
85%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities across multiple service tiers, includes rich natural trigger terms, and provides explicit 'Use when' guidance. The tier-based breakdown adds valuable context for skill selection, and the domain-specific terminology ensures distinctiveness. The description uses proper third-person voice throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: certificate expiry monitoring, node/CA/client cert rotation, Kubernetes cert management, CMEK rotation in KMS, and differentiates actions across tiers (Self-Hosted, Advanced/BYOC, Standard, Basic). | 3 / 3 |
Completeness | Clearly answers both 'what' (manages TLS certificate and encryption key lifecycle across tiers with specific actions per tier) and 'when' with an explicit 'Use when...' clause covering monitoring cert health, performing rotation, managing CMEK, or responding to key compromise. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'TLS certificate', 'encryption key', 'cert rotation', 'CMEK', 'Customer-Managed Encryption Key', 'KMS', 'cert health', 'key compromise', 'Kubernetes cert'. Good coverage of both acronyms and full terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche around TLS certificates and encryption key lifecycle management. The tier-specific breakdown and domain-specific terms like CMEK, KMS, CA cert rotation make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured skill that handles a complex multi-tier topic with clear routing logic and good progressive disclosure. Its main weakness is that several key procedures (CA rotation, CMEK rotation per provider, Kubernetes details) defer to reference files without providing enough inline executable commands, reducing immediate actionability. The context-gathering section, while thorough, adds some verbosity that could be tightened.
Suggestions
Include at least the key executable commands for CA rotation inline (e.g., the cockroach cert create-ca command and verification step) rather than deferring entirely to references
Add provider-specific CMEK rotation commands inline (at least one example, e.g., AWS KMS) so the skill is actionable without needing the reference file
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient but includes some unnecessary explanation (e.g., 'What Is CMEK' section explains concepts Claude likely knows, and the context-gathering tables add verbosity). The routing tables and tier explanations could be tightened, though most content earns its place. | 2 / 3 |
Actionability | Provides some concrete code (SQL monitoring query, cockroach cert command, curl for CMEK status) but many procedures defer to reference files for 'detailed steps.' The CA rotation is outlined as high-level steps without executable commands, and CMEK rotation says 'rotate in your KMS' without specific commands inline. | 2 / 3 |
Workflow Clarity | The skill has a clear decision-tree workflow starting with context gathering, explicit routing table to the correct section, sequenced CA rotation steps with the combined-CA trust transition approach, alert thresholds for monitoring, and safety considerations that serve as validation checkpoints. The troubleshooting table provides error recovery guidance. | 3 / 3 |
Progressive Disclosure | Excellent structure with a clear overview, context-driven routing to specific sections, and well-signaled one-level-deep references to rotation-procedures.md, kubernetes-certs.md, cmek-procedures.md, and safety-guide.md. Related skills and official docs are cleanly separated. Content is appropriately split between inline essentials and referenced details. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- cockroachlabs/cockroachdb-skills
- Commit
84bc1e4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.