customerio-security-basics
Apply Customer.io security best practices. Use when implementing secure credential storage, PII handling, webhook signature verification, or GDPR/CCPA compliance. Trigger: "customer.io security", "customer.io pii", "secure customer.io", "customer.io gdpr", "customer.io webhook verify".
80
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/customerio-pack/skills/customerio-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description with strong completeness and distinctiveness. It clearly identifies when to use the skill with explicit trigger terms and a 'Use when' clause. The main weakness is that the capabilities listed are more like topic categories than concrete, specific actions, which slightly reduces specificity.
Suggestions
Replace topic-level phrases with concrete actions, e.g., 'Encrypt API keys using environment variables, mask PII fields in event payloads, validate webhook HMAC signatures, implement data deletion endpoints for GDPR/CCPA requests.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Customer.io security) and lists some actions like 'secure credential storage, PII handling, webhook signature verification, GDPR/CCPA compliance,' but these are more like topic areas than concrete actions. It doesn't describe specific steps or outputs (e.g., 'encrypt API keys,' 'validate HMAC signatures'). | 2 / 3 |
Completeness | Clearly answers both 'what' (apply Customer.io security best practices including credential storage, PII handling, webhook verification, GDPR/CCPA compliance) and 'when' (explicit 'Use when' clause and trigger terms). Both are explicitly stated. | 3 / 3 |
Trigger Term Quality | Includes explicit trigger terms that users would naturally say: 'customer.io security', 'customer.io pii', 'secure customer.io', 'customer.io gdpr', 'customer.io webhook verify'. These cover multiple natural variations and specific compliance frameworks. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific combination of 'Customer.io' platform and 'security' domain. The trigger terms are narrowly scoped and unlikely to conflict with general security skills or general Customer.io skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with executable TypeScript examples covering the key security concerns for Customer.io integration. Its main strengths are concrete, copy-paste ready code and comprehensive coverage across five security domains. Weaknesses include some verbosity (the key rotation script-as-console-logs pattern), a contradictory key rotation workflow, and missing validation checkpoints for destructive operations like bulk deletion.
Suggestions
Add a verification step after bulk deletion (e.g., confirm user no longer exists via API lookup) to close the validation gap in the destructive operation workflow.
Fix the key rotation workflow contradiction: the numbered steps say to regenerate first, but the IMPORTANT note says to update secrets before regenerating. Provide a clear, unambiguous sequence.
Convert the key rotation Step 4 from a script that prints instructions into a simple numbered list — a console.log-based script adds no value over plain markdown.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with executable code examples, but includes some unnecessary elements: the Prerequisites section states obvious things ('Understanding of your data classification'), the API key rotation step is a script that just prints console.log instructions (could be a simple list), and some inline comments are redundant. The error handling table and checklist add value but the overall content could be tightened. | 2 / 3 |
Actionability | Every step provides fully executable TypeScript code with real imports, concrete function signatures, and copy-paste ready implementations. The webhook verification includes Express setup, PII sanitization shows exact usage with expected outcomes in comments, and GDPR deletion uses actual SDK methods (suppress, destroy). The error handling table provides specific solutions. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced and individually well-structured, but there are validation gaps. The bulk deletion operation lacks a verification step (e.g., confirming deletion succeeded). The key rotation procedure (Step 4) warns about immediate invalidation but the ordering advice ('Update secrets BEFORE regenerating') contradicts the numbered steps which say to regenerate first then update. No explicit validation checkpoints between steps. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear sections, a checklist, and an error handling table. However, at ~180 lines of code-heavy content, some sections (like the full webhook middleware or PII sanitization module) could be split into referenced files. The 'Next Steps' reference to customerio-prod-checklist is good, but no bundle files exist to support progressive disclosure. For a standalone skill this is acceptable but not optimal. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.