deepgram-security-basics
Apply Deepgram security best practices for API key management and data protection. Use when securing Deepgram integrations, implementing key rotation, or auditing security configurations. Trigger: "deepgram security", "deepgram API key security", "secure deepgram", "deepgram key rotation", "deepgram data protection", "deepgram PII redaction".
80
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/deepgram-pack/skills/deepgram-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description that clearly defines its niche (Deepgram security), provides explicit 'Use when' guidance, and includes a strong set of trigger terms. Its main weakness is that the capability descriptions are somewhat high-level—terms like 'best practices' and 'data protection' could be more concrete with specific actions listed.
Suggestions
Make capabilities more concrete by listing specific actions, e.g., 'Configure API key scoping, implement key rotation schedules, set up PII redaction rules, audit access logs' instead of the vaguer 'best practices for API key management and data protection'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Deepgram security) and some actions (API key management, data protection, key rotation, auditing security configurations), but the actions are somewhat general and not deeply concrete—e.g., it doesn't specify what 'best practices' entail beyond key rotation and auditing. | 2 / 3 |
Completeness | Clearly answers both 'what' (apply Deepgram security best practices for API key management and data protection) and 'when' (securing Deepgram integrations, implementing key rotation, auditing security configurations) with explicit trigger terms. | 3 / 3 |
Trigger Term Quality | Includes a well-curated list of natural trigger terms users would say: 'deepgram security', 'deepgram API key security', 'secure deepgram', 'deepgram key rotation', 'deepgram data protection', 'deepgram PII redaction'. These cover multiple natural variations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the narrow focus on Deepgram-specific security practices. The 'Deepgram' qualifier combined with security-specific triggers makes it very unlikely to conflict with general security skills or other Deepgram skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with real executable code examples covering important topics like scoped keys, PII redaction, SSRF prevention, and audit logging. Its main weaknesses are verbosity (the audit logging and temporary key sections could be more concise) and the lack of explicit validation/verification steps tying the workflow together. The content would benefit from being split into a concise overview with references to detailed implementation files.
Suggestions
Trim inline comments that explain obvious concepts (e.g., '// This prevents exposing your main API key') and reduce the audit logging example to a minimal pattern with a reference to a detailed file.
Add an explicit verification step at the end of the workflow (e.g., 'Run this validation script to confirm all checklist items are met') to close the feedback loop.
Split the longer implementation sections (SSRF validation, audit logging) into separate referenced files, keeping only minimal examples in the main SKILL.md.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient with executable code examples, but some sections are verbose — inline comments explaining obvious things (e.g., '// This prevents exposing your main API key'), the audit logging section is quite long, and the browser client comment at the end of Step 3 adds marginal value. Could be tightened by ~20-30%. | 2 / 3 |
Actionability | Every step includes fully executable TypeScript code with real SDK calls, specific parameter values, and concrete examples. The code is copy-paste ready with proper imports, error handling, and realistic usage patterns. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced and numbered, but the key rotation workflow (Step 4) has commented-out critical steps (deleting old key, updating secret manager) rather than explicit validation checkpoints. The overall flow lacks a feedback loop — there's no 'verify your security setup' step or validation that the checklist items are actually met. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and a checklist overview, but it's quite long (~180 lines of code) and could benefit from splitting detailed implementations (audit logging, SSRF prevention) into separate reference files. The Resources section at the end provides external links but no internal file references for advanced topics. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3e83543
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.