customerio-security-basics
Apply Customer.io security best practices. Use when implementing secure credential storage, PII handling, webhook signature verification, or GDPR/CCPA compliance. Trigger: "customer.io security", "customer.io pii", "secure customer.io", "customer.io gdpr", "customer.io webhook verify".
80
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/customerio-pack/skills/customerio-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description with excellent trigger coverage and clear 'when' guidance specific to Customer.io security. Its main weakness is that the 'what' portion could be more specific about the concrete actions performed (e.g., 'configures environment variables for API keys, implements webhook HMAC verification, anonymizes PII fields') rather than listing broad categories. Overall it performs well for skill selection purposes.
Suggestions
Replace 'Apply Customer.io security best practices' with more concrete actions like 'Configures secure API key storage, implements webhook HMAC signature verification, anonymizes PII in Customer.io event payloads, and ensures GDPR/CCPA compliance in data flows.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Customer.io security) and lists some actions (credential storage, PII handling, webhook signature verification, GDPR/CCPA compliance), but these are more like categories than concrete specific actions. It says 'apply best practices' rather than listing what those practices entail. | 2 / 3 |
Completeness | Clearly answers both 'what' (apply Customer.io security best practices including credential storage, PII handling, webhook verification, GDPR/CCPA compliance) and 'when' (explicit 'Use when' clause and trigger terms). Both are explicitly stated. | 3 / 3 |
Trigger Term Quality | Includes explicit trigger terms that users would naturally say: 'customer.io security', 'customer.io pii', 'secure customer.io', 'customer.io gdpr', 'customer.io webhook verify'. These cover multiple natural variations and specific use cases. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific combination of Customer.io + security domain. The trigger terms are narrowly scoped to Customer.io security concerns, making it very unlikely to conflict with general security skills or general Customer.io skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with excellent executable code examples covering credential storage, PII sanitization, webhook verification, key rotation, and GDPR compliance. Its main weaknesses are length (could split detailed implementations into referenced files) and missing validation checkpoints in the key rotation and bulk deletion workflows. The Step 4 key rotation script is oddly implemented as console.log statements rather than actual automation.
Suggestions
Replace the Step 4 key rotation console.log script with an actual connectivity test function that validates the new key works, and add an explicit verification checkpoint after rotation.
Split the detailed code implementations (sanitization, webhook middleware, GDPR deletion) into referenced files and keep SKILL.md as a concise overview with short code snippets.
Add a validation/retry mechanism to the bulk deletion workflow — e.g., collect failures and retry them, then report final status — since batch destructive operations need feedback loops.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with executable code examples, but includes some unnecessary verbosity — the key rotation script that just prints console.log instructions is wasteful, and the prerequisites section explains things Claude already knows. The security checklist and error handling table add value but could be tighter. | 2 / 3 |
Actionability | Every step provides fully executable TypeScript code with real library imports, concrete field names, and copy-paste-ready implementations. The webhook verification, PII sanitization, and GDPR deletion examples are complete and specific with realistic usage patterns. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced and the security checklist provides a good summary, but the key rotation step (Step 4) lacks a proper validation checkpoint — it warns about immediate invalidation but doesn't include a verification script. The bulk deletion in Step 5 has error handling but no explicit validation/retry loop for failed deletions. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and a logical progression, but it's quite long (~200 lines of code) and could benefit from splitting detailed implementations into separate files. The references section and 'Next Steps' are good, but the inline code blocks make this a dense monolithic document. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3e83543
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.