documenso-security-basics
Implement security best practices for Documenso document signing integrations. Use when securing API keys, configuring webhooks securely, or implementing document security measures. Trigger with phrases like "documenso security", "secure documenso", "documenso API key security", "documenso webhook security".
85
83%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly identifies its niche (Documenso security), provides explicit trigger terms, and answers both what and when. Its main weakness is that the specific capabilities could be more concrete—'implementing document security measures' is somewhat vague, and listing more specific actions (e.g., token rotation, signature verification, HTTPS enforcement) would strengthen it.
Suggestions
Replace the vague 'implementing document security measures' with more concrete actions like 'validating webhook signatures, rotating API tokens, enforcing HTTPS endpoints, setting document expiration policies'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Documenso security) and some actions (securing API keys, configuring webhooks, implementing document security measures), but 'implementing document security measures' is vague and the description doesn't list multiple concrete specific actions beyond API keys and webhooks. | 2 / 3 |
Completeness | Clearly answers both 'what' (implement security best practices for Documenso integrations) and 'when' (securing API keys, configuring webhooks securely, implementing document security measures) with explicit trigger phrases provided. | 3 / 3 |
Trigger Term Quality | Includes natural trigger phrases like 'documenso security', 'secure documenso', 'documenso API key security', 'documenso webhook security' which are terms users would naturally use. Good coverage of variations combining the product name with security concerns. | 3 / 3 |
Distinctiveness Conflict Risk | Very specific niche combining Documenso (a specific product) with security best practices. Unlikely to conflict with general security skills or general Documenso skills due to the intersection of both domains and explicit trigger terms. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with executable code in multiple languages and clear workflows for key rotation and webhook verification. Its main weakness is moderate verbosity—some explanatory comments and patterns that Claude already understands could be trimmed. The progressive disclosure could be improved by extracting self-hosted-specific content into a separate file.
Suggestions
Trim explanatory comments like '// NEVER hardcode keys' and '// ALWAYS use environment variables'—Claude knows these patterns; just show the correct approach.
Consider extracting Steps 5-6 (self-hosted signing certificate and production secrets) into a separate file like `documenso-selfhosted-security.md` and linking to it, keeping the main skill focused on API/webhook security.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient with good code examples, but includes some unnecessary commentary (e.g., 'NEVER hardcode keys' / 'ALWAYS use environment variables' patterns Claude already knows, and some inline comments that explain obvious concepts). The error handling table and checklist add value but the overall content could be tightened. | 2 / 3 |
Actionability | Provides fully executable TypeScript and Python code examples, specific bash commands for certificate generation and secret generation, and concrete patterns for key rotation and webhook verification. All code is copy-paste ready with real library calls and environment variable references. | 3 / 3 |
Workflow Clarity | The key rotation procedure in Step 2 has a clear 5-step sequence with explicit verification before proceeding. The overall structure follows a logical progression from basic key security through webhook verification, access control, and production deployment. The security checklist serves as a validation checkpoint. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and references to external resources and a next-steps pointer to 'documenso-prod-checklist'. However, the skill is fairly long (~130 lines of content) and some sections like the signing certificate details and self-hosted secrets could potentially be split into a separate reference file rather than being inline. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
70e9fa4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.