fastly-ngwaf
Performs an internal audit of Fastly Next-Gen WAF (NGWAF) workspaces to audit that critical templated protection rules are configured and enabled. Use when auditing NGWAF workspace security posture, checking for missing or disabled login protection rules (LOGINDISCOVERY, LOGINATTEMPT, LOGINSUCCESS, LOGINFAILURE), auditing credit card validation rules (CC-VAL-ATTEMPT, CC-VAL-FAILURE, CC-VAL-SUCCESS), auditing gift card protection rules (GC-VAL-ATTEMPT, GC-VAL-FAILURE, GC-VAL-SUCCESS), or identifying potential login endpoints not covered by NGWAF rules.
73
60%
Does it follow best practices?
Impact
96%
2.82xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/fastly-ngwaf/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a narrow, specific domain (Fastly NGWAF workspace auditing) with concrete actions and explicit trigger guidance. It uses third-person voice correctly, lists specific rule names that serve as strong trigger terms, and has a comprehensive 'Use when' clause covering all relevant scenarios. The description is thorough without being padded with fluff.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: auditing templated protection rules, checking login protection rules (with specific rule names), auditing credit card validation rules, auditing gift card protection rules, and identifying uncovered login endpoints. | 3 / 3 |
Completeness | Clearly answers both 'what' (performs internal audit of Fastly NGWAF workspaces to check critical templated protection rules) and 'when' (explicit 'Use when' clause covering auditing NGWAF security posture, checking missing/disabled login rules, auditing credit card and gift card rules, and identifying uncovered endpoints). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including 'Fastly', 'NGWAF', 'WAF', 'audit', 'workspace', 'login protection', specific rule codes like 'LOGINDISCOVERY', 'CC-VAL-ATTEMPT', 'GC-VAL-ATTEMPT', 'credit card validation', 'gift card protection', and 'security posture'. These are terms a user working with Fastly WAF would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely specific niche targeting Fastly Next-Gen WAF workspaces with named rule codes (LOGINDISCOVERY, CC-VAL-ATTEMPT, etc.). This is highly unlikely to conflict with any other skill given the very specific product and rule-level detail. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is largely descriptive rather than actionable — it explains what an NGWAF audit involves but doesn't provide the concrete tools, commands, or code to actually perform one. The referenced assessment script is missing from the bundle, making the primary actionable instruction a dead reference. The content is also verbose, repeating the description and explaining context that Claude doesn't need.
Suggestions
Provide the actual `assess_ngwaf_rules.sh` script content or include concrete curl/API commands showing how to list workspaces and check rule configurations (e.g., `curl -H 'Fastly-Key: $FASTLY_API_KEY' https://api.fastly.com/ngwaf/...`)
Remove the 'Trigger and scope' section entirely — it restates the description and explains obvious context that Claude already understands
Add expected output examples showing what a healthy vs. unhealthy audit result looks like, so Claude knows how to format and interpret results
Add validation/error handling steps: what to do if the API key is invalid, if a workspace returns no rules, or if the API rate-limits the requests
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'Trigger and scope' section is verbose and explains obvious context (who would use it, what NGWAF is for). The description repeats information already in the YAML frontmatter description. The workflow section describes steps at a high level without adding actionable value beyond what Claude could infer. | 1 / 3 |
Actionability | The skill references a script `./scripts/assess_ngwaf_rules.sh` but provides no content for it, no API call examples, no curl commands, no expected output format, and no concrete guidance on how to actually perform the audit. It describes rather than instructs. | 1 / 3 |
Workflow Clarity | The workflow lists four sequential steps (retrieve, inspect, validate, recommend) which provides a clear sequence, but there are no validation checkpoints, no error handling guidance, no feedback loops for when API calls fail or credentials are invalid, and no concrete commands for each step. | 2 / 3 |
Progressive Disclosure | The skill references a script file and API documentation links, which is good structure. However, no bundle files are provided, meaning the referenced script doesn't exist, and the inline content that could be separated (like the rule name lists) is mixed with overview content without clear navigation. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- fastly/fastly-agent-toolkit
- Commit
e0f4205
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.