clerk-security-basics
Implement security best practices with Clerk authentication. Use when securing your application, reviewing auth implementation, or hardening Clerk configuration. Trigger with phrases like "clerk security", "secure clerk", "clerk best practices", "clerk hardening".
77
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/clerk-pack/skills/clerk-security-basics/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description does a good job of specifying when to use the skill with explicit trigger phrases and a clear 'Use when' clause. However, the 'what' portion is vague—'implement security best practices' doesn't enumerate specific concrete actions, which weakens specificity. The description also uses second person ('your application') which is a minor style issue, though the rubric specifically penalizes first/second person for specificity.
Suggestions
List specific concrete security actions, e.g., 'Configure CSRF protection, set up rate limiting, enforce MFA, validate session tokens, restrict allowed origins in Clerk configuration.'
Replace second person 'your application' with third person phrasing, e.g., 'Implements security best practices for Clerk authentication including...'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Clerk authentication security) and mentions some actions like 'securing your application', 'reviewing auth implementation', and 'hardening Clerk configuration', but these are fairly general and don't list concrete specific actions (e.g., 'configure CSRF protection', 'set up rate limiting', 'enable MFA'). | 2 / 3 |
Completeness | Clearly answers both 'what' (implement security best practices with Clerk authentication) and 'when' (securing application, reviewing auth implementation, hardening Clerk configuration) with explicit trigger phrases provided. | 3 / 3 |
Trigger Term Quality | Includes explicit trigger phrases like 'clerk security', 'secure clerk', 'clerk best practices', 'clerk hardening' which are natural terms users would say. Also includes broader terms like 'securing your application' and 'auth implementation' that provide good coverage. | 3 / 3 |
Distinctiveness Conflict Risk | The Clerk-specific terms provide good distinctiveness from general security skills, but phrases like 'securing your application' and 'reviewing auth implementation' could overlap with general security or other auth-related skills. The niche is somewhat clear but not fully distinct. | 2 / 3 |
Total | 10 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable skill with excellent executable code examples covering multiple security dimensions of Clerk authentication. Its main weaknesses are the lack of validation/verification checkpoints after each security hardening step and the monolithic structure that could benefit from splitting advanced examples into separate files. Some minor verbosity in prerequisites and output summary sections could be trimmed.
Suggestions
Add explicit validation checkpoints after each step, e.g., 'Verify: curl your protected route without auth and confirm 401 response' or 'Test: send an unsigned POST to your webhook endpoint and confirm 400 response'.
Move the rate limiting example and error handling table to a separate CLERK-SECURITY-REFERENCE.md file, keeping SKILL.md as a concise overview with links.
Remove the Prerequisites and Output sections — Claude doesn't need to be told about OWASP basics, and the Output section just restates what the steps already demonstrate.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient with executable code examples, but includes some unnecessary elements like the Prerequisites section (Claude knows OWASP basics), the Output summary section that just restates what was already shown, and some inline comments that explain obvious things. The error handling table adds value but the overall document could be tightened. | 2 / 3 |
Actionability | Every step includes fully executable, copy-paste ready TypeScript/bash code with specific imports, function signatures, and concrete patterns. The rate limiting example includes a complete implementation with a real library. Permission checks use specific Clerk API calls rather than pseudocode. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced and numbered, but there are no explicit validation checkpoints or feedback loops. For a security hardening skill involving potentially destructive configuration changes (CSP headers, middleware), there should be verification steps like 'test that protected routes return 401 without auth' or 'verify webhook endpoint rejects unsigned requests'. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear sections, but it's quite long (~180 lines of content) and could benefit from splitting detailed examples (rate limiting, webhook verification) into separate reference files. The Resources section and Next Steps provide good navigation, but the main body contains everything inline. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
70e9fa4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.