documenso-security-basics
Implement security best practices for Documenso document signing integrations. Use when securing API keys, configuring webhooks securely, or implementing document security measures. Trigger with phrases like "documenso security", "secure documenso", "documenso API key security", "documenso webhook security".
85
83%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly identifies its niche (Documenso security), provides explicit trigger guidance, and is unlikely to conflict with other skills. Its main weakness is that the specific capabilities listed are somewhat high-level and could benefit from more concrete action verbs describing what security measures are actually implemented.
Suggestions
Add more specific concrete actions such as 'rotate API keys, validate webhook signatures with HMAC, configure IP allowlists, set token expiration policies' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (Documenso security) and mentions some actions like 'securing API keys', 'configuring webhooks securely', and 'implementing document security measures', but these are somewhat general and not deeply specific concrete actions (e.g., no mention of key rotation, HMAC verification, encryption methods, etc.). | 2 / 3 |
Completeness | Clearly answers both 'what' (implement security best practices for Documenso integrations including API keys, webhooks, document security) and 'when' (explicit 'Use when' clause and 'Trigger with phrases' section providing clear activation guidance). | 3 / 3 |
Trigger Term Quality | Includes explicit trigger phrases like 'documenso security', 'secure documenso', 'documenso API key security', 'documenso webhook security' which are natural terms a user would say. Also includes relevant keywords like 'API keys', 'webhooks', and 'document security measures'. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Documenso' (a specific product) with 'security' creates a very clear niche. The trigger terms are specific enough to avoid conflicts with general security skills or general Documenso skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with excellent executable code examples in multiple languages and clear workflows for key rotation and webhook verification. Its main weakness is moderate verbosity—some explanations of basic security concepts that Claude already knows could be trimmed—and the content could benefit from splitting self-hosted concerns into a separate reference file. The security checklist and error handling table are strong additions that provide practical validation guidance.
Suggestions
Trim explanatory comments Claude already knows (e.g., remove 'NEVER hardcode keys' / 'ALWAYS use environment variables' labels and the BAD/GOOD pattern; the code examples alone make this clear).
Consider splitting self-hosted content (Steps 5-6) into a separate file like `SELF-HOSTED-SECURITY.md` and referencing it from the main skill to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient with good code examples, but includes some unnecessary commentary (e.g., 'NEVER hardcode keys' / 'ALWAYS use environment variables' patterns Claude already knows, and the BAD/GOOD labeling is somewhat patronizing). The document access control section explains 'principle of least privilege' which Claude understands. Some inline comments are redundant. | 2 / 3 |
Actionability | Excellent executable code in both TypeScript and Python, specific bash commands for certificate generation, concrete .gitignore patterns, and a clear key rotation procedure with numbered steps. All code is copy-paste ready and covers real-world scenarios. | 3 / 3 |
Workflow Clarity | The key rotation procedure (Step 2) has a clear 5-step sequence with an implicit validation checkpoint ('Verify secondary key works' before proceeding). The overall flow from API key security through webhook verification to production deployment is well-sequenced. The security checklist serves as a comprehensive validation checkpoint. The error handling table provides clear feedback loops for security incidents. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and a logical progression, but it's fairly long for a single file with no bundle files to offload detail into. The signing certificate section and self-hosted secrets could be split into a separate file. References to external docs and 'documenso-prod-checklist' are good, but the skill itself is somewhat monolithic. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.