CtrlK
BlogDocsLog inGet started
Tessl Logo

customerio-security-basics

Apply Customer.io security best practices. Use when implementing secure credential storage, PII handling, webhook signature verification, or GDPR/CCPA compliance. Trigger: "customer.io security", "customer.io pii", "secure customer.io", "customer.io gdpr", "customer.io webhook verify".

67

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with executable code, but suffers from verbosity in the rotation step and a monolithic inline structure that ignores its own reference bundle. Destructive/batch operations also lack explicit validation checkpoints.

Suggestions

Replace Step 4's console.log rotation script with concise numbered instructions and a single verification step (e.g., a concrete connectivity-test command) to form a validate->fix->retry loop.

Move the credential-storage and PII-sanitization deep dives into references/implementation-guide.md and link to them from the body, signaling the bundle instead of inlining everything.

Add an explicit validation checkpoint after GDPR bulk deletion (e.g., confirm suppress+destroy succeeded and record the audit entry) to satisfy the destructive/batch feedback-loop requirement.

DimensionReasoningScore

Conciseness

Code blocks are largely earned, but Step 4 expresses the rotation procedure as verbose console.log lines with a duplicated IMPORTANT note, and the checklist/table restate prior content — mostly efficient but could be tightened. Not level 3 because of the padded rotation section; not level 1 because most content is concrete and non-redundant.

2 / 3

Actionability

Fully executable TypeScript (secrets, sanitization, HMAC verification, GDPR deletion), concrete CLI commands (gcloud/aws), and real API methods (suppress, destroy) make it copy-paste ready.

3 / 3

Workflow Clarity

Five steps are clearly sequenced with a checklist, but destructive/batch operations (key rotation that immediately invalidates the old key, bulkDelete) lack explicit validation/verify checkpoints, which caps this dimension at 2 per the destructive-ops guideline. Not level 1 because the sequence is explicit; not level 3 because validation feedback loops are missing for risky operations.

2 / 3

Progressive Disclosure

Bundle files exist under references/ but the body never signals or links them; all ~260 lines are inline, so content that should be split is monolithic. Not level 1 because sections and a checklist provide some organization; not level 3 because references are unused and navigation is absent.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, complete, and well-triggered for a narrow security niche, covering both what it does and when to use it with natural trigger phrases. It is one of the stronger reference examples.

DimensionReasoningScore

Specificity

Enumerates concrete actions — 'secure credential storage, PII handling, webhook signature verification, or GDPR/CCPA compliance' — matching the multiple-specific-actions anchor; not the level below which only names domain and some actions.

3 / 3

Completeness

Clearly states what ('Apply Customer.io security best practices' plus enumerated capabilities) and when ('Use when implementing...') with explicit triggers, satisfying both halves.

3 / 3

Trigger Term Quality

Explicit Trigger list ('customer.io security', 'customer.io pii', 'secure customer.io', 'customer.io gdpr', 'customer.io webhook verify') gives good coverage of natural phrases a user would say.

3 / 3

Distinctiveness Conflict Risk

Narrow Customer.io-security niche with distinct, product-specific triggers makes overlap with unrelated skills unlikely.

3 / 3

Total

12

/

12

Passed

Validation

81%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation13 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

referenced_paths_exist

Referenced path issues: 1 missing

Warning

Total

13

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.