api-key-manager
Api Key Manager - Auto-activating skill for Security Fundamentals. Triggers on: api key manager, api key manager Part of the Security Fundamentals skill category.
32
0%
Does it follow best practices?
Impact
92%
1.08xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/api-key-manager/SKILL.mdQuality
Discovery
0%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder with no substantive content. It fails to describe any concrete actions, lacks natural trigger terms users would use, and provides no guidance on when Claude should select this skill. It would be nearly useless for skill selection among multiple available skills.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Generates, rotates, stores, and validates API keys and secrets. Manages .env files and credential configuration.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user mentions API keys, secret keys, tokens, credentials, .env files, key rotation, or secure key storage.'
Remove the duplicate trigger term ('api key manager' is listed twice) and expand with varied natural phrases users would actually say, such as 'manage secrets', 'store API token', 'rotate credentials'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description provides no concrete actions whatsoever. It only names the skill ('Api Key Manager') and mentions it's part of 'Security Fundamentals' but never describes what it actually does—no verbs like 'generates', 'rotates', 'stores', or 'validates' API keys. | 1 / 3 |
Completeness | Neither the 'what' nor the 'when' is meaningfully answered. There is no explanation of what the skill does, and the 'Triggers on' line just repeats the skill name rather than providing explicit usage guidance. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'api key manager' repeated twice. There are no natural user phrases like 'API key', 'secret key', 'rotate keys', 'manage credentials', '.env file', or 'API token' that users would actually say. | 1 / 3 |
Distinctiveness Conflict Risk | The description is so vague that it could overlap with any security-related skill. Without specifying concrete capabilities (e.g., key rotation, storage, generation), it's indistinguishable from other security or credential management skills. | 1 / 3 |
Total | 4 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty template with no substantive content. It repeatedly references 'api key manager' without ever explaining what API key management entails, providing any executable code, security patterns, or actionable guidance. It fails on every dimension as it contains only boilerplate placeholder text.
Suggestions
Add concrete, executable code examples for common API key management tasks (e.g., generating keys, storing them securely using environment variables or secret managers, rotating keys, revoking compromised keys).
Define a clear workflow with validation steps, such as: 1) Generate key with sufficient entropy, 2) Store in secret manager, 3) Validate key is not hardcoded in source, 4) Set up rotation schedule.
Remove all boilerplate filler text ('This skill provides automated assistance...') and replace with specific security best practices like never committing keys to version control, using .env files, and scanning for leaked secrets.
Add references to related detailed guides (e.g., a SECRETS_MANAGEMENT.md or ROTATION_GUIDE.md) for progressive disclosure of advanced topics like key rotation policies and audit logging.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and boilerplate. It explains nothing Claude doesn't already know, repeats 'api key manager' excessively, and provides zero substantive information about how to actually manage API keys securely. | 1 / 3 |
Actionability | There are no concrete instructions, code examples, commands, or specific guidance. Every section is vague and abstract — 'Provides step-by-step guidance' without actually providing any steps. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined at all. The skill claims to provide 'step-by-step guidance' but contains zero steps. For a security-related task involving API key management, there are no validation or verification checkpoints. | 1 / 3 |
Progressive Disclosure | The content is a flat, uninformative page with no references to detailed materials, no links to related files, and no structured navigation. It mentions 'Related Skills' but provides no actual links or paths. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
c8a915c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.