databricks-security-basics
Apply Databricks security best practices for secrets and access control. Use when securing API tokens, implementing least privilege access, or auditing Databricks security configuration. Trigger with phrases like "databricks security", "databricks secrets", "secure databricks", "databricks token security", "databricks scopes".
80
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/databricks-pack/skills/databricks-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description that clearly defines its niche in Databricks security. It excels at completeness and trigger term coverage with explicit 'Use when' and 'Trigger with' clauses. The main weakness is that the specific capabilities could be more concrete—listing actual operations rather than high-level categories would strengthen it further.
Suggestions
Add more concrete actions such as 'create and manage secret scopes', 'rotate API tokens', 'configure workspace ACLs', or 'set up IP access lists' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Databricks security) and mentions some actions like 'secrets and access control', 'securing API tokens', 'implementing least privilege access', and 'auditing security configuration', but these are somewhat high-level and not as concrete as listing specific operations (e.g., 'create secret scopes', 'rotate tokens', 'configure ACLs'). | 2 / 3 |
Completeness | Clearly answers both 'what' (apply Databricks security best practices for secrets and access control) and 'when' (securing API tokens, implementing least privilege, auditing security config) with explicit trigger phrases listed. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including 'databricks security', 'databricks secrets', 'secure databricks', 'databricks token security', 'databricks scopes', plus contextual phrases like 'API tokens', 'least privilege access', and 'auditing'. These are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with the specific Databricks security niche. The combination of 'Databricks' + 'security/secrets/scopes/tokens' creates a clear, narrow domain that is unlikely to conflict with general security skills or general Databricks skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, highly actionable skill with real executable code across multiple languages (bash, Python, SQL). Its main weaknesses are the lack of validation checkpoints in destructive operations like token rotation, and the monolithic structure that packs substantial detail into a single file rather than using progressive disclosure. Minor verbosity in comments and the Output section could be trimmed.
Suggestions
Add explicit validation steps to token rotation (e.g., verify new token works with a test API call before deleting the old one) and after permission changes (verify grants took effect).
Split detailed content like column/row-level security and the full audit_tokens() function into separate referenced files (e.g., COLUMN_SECURITY.md, TOKEN_AUDIT.md) to keep SKILL.md as a concise overview.
Remove the 'Output' section which merely restates what the steps produce, and trim explanatory comments that Claude doesn't need (e.g., 'Databricks prevents accidental exposure').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with executable commands and code, but includes some unnecessary elements like the 'Output' section restating what the steps already accomplish, and comments that over-explain (e.g., 'Databricks prevents accidental exposure'). The Python print example showing redaction behavior is borderline unnecessary for Claude. | 2 / 3 |
Actionability | Excellent actionability throughout — every step includes fully executable CLI commands, Python code, or SQL statements that are copy-paste ready. The token audit function is complete and runnable, secret scope commands are specific, and Unity Catalog grants use realistic role-based examples. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced and logically ordered from scope creation through auditing. However, there are no explicit validation checkpoints or feedback loops — for security operations involving token rotation (destructive) and permission changes, there should be verify-before-proceeding steps (e.g., confirm new token works before deleting old one). | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and a logical progression, and includes external resource links. However, at ~150+ lines, some content like the column-level masking, row-level security, and the full audit token Python function could be split into referenced files. The skill tries to cover too much inline for a single SKILL.md. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
70e9fa4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.