evernote-security-basics
Implement security best practices for Evernote integrations. Use when securing API credentials, implementing OAuth securely, or hardening Evernote integrations. Trigger with phrases like "evernote security", "secure evernote", "evernote credentials", "evernote oauth security".
77
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/evernote-pack/skills/evernote-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly defines its niche at the intersection of Evernote and security. It excels in completeness with explicit 'Use when' and 'Trigger with' clauses, and has strong distinctiveness. The main weakness is that the specific capabilities could be more concrete—listing actual security actions rather than broad categories like 'hardening integrations'.
Suggestions
Replace vague phrases like 'hardening Evernote integrations' with specific actions such as 'rotating API keys, validating OAuth redirect URIs, encrypting stored tokens, implementing rate limiting'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Evernote security) and some actions like 'securing API credentials', 'implementing OAuth securely', and 'hardening integrations', but these are somewhat general rather than listing multiple concrete specific actions (e.g., rotating keys, encrypting tokens, validating redirect URIs). | 2 / 3 |
Completeness | Clearly answers both 'what' (implement security best practices for Evernote integrations, securing API credentials, implementing OAuth securely, hardening integrations) and 'when' (explicit 'Use when' clause and 'Trigger with phrases' section providing clear activation guidance). | 3 / 3 |
Trigger Term Quality | Includes explicit natural trigger phrases like 'evernote security', 'secure evernote', 'evernote credentials', 'evernote oauth security' which are terms users would naturally say. Also includes relevant keywords like 'API credentials', 'OAuth', and 'hardening'. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Evernote' + 'security' creates a very specific niche. The trigger terms are narrowly scoped to Evernote security concerns specifically, making it unlikely to conflict with general security skills or general Evernote skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a solid structural overview of Evernote security practices with good organization and progressive disclosure. However, it falls short on actionability for several key steps (encrypted storage, input validation, token lifecycle) that lack executable code, and the workflow lacks validation checkpoints critical for security-sensitive operations. The content could be tightened by removing the Prerequisites and Output sections and replacing prose Examples with executable code.
Suggestions
Add executable code examples for Steps 3 (AES-256-GCM encryption/decryption), 4 (input validation/sanitization), and 6 (token expiration check), as these are the most security-critical and error-prone operations.
Add validation checkpoints to the workflow, e.g., 'Verify encryption roundtrip: decrypt(encrypt(token)) === token' after Step 3, and 'Test CSRF flow end-to-end before deploying' after Step 2.
Replace the prose-based Examples section with concrete, executable code snippets showing complete usage patterns.
Remove the Prerequisites and Output sections to save tokens—Claude already knows these concepts and the Output section merely restates the step headings.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary context like the Prerequisites section (Claude knows what OAuth 1.0a and AES are), the verbose Output section that merely restates what was already covered, and the Examples section which describes scenarios in prose rather than providing executable code. The core instructions are reasonably tight. | 2 / 3 |
Actionability | Some steps have concrete, executable JavaScript code (credential validation, CSRF token, redactToken), but Steps 3, 4, and 6 are descriptive without executable code examples. The encrypted token storage step notably lacks the AES-256-GCM implementation code despite being a key security concern. The Examples section describes scenarios in prose rather than providing copy-paste ready code. | 2 / 3 |
Workflow Clarity | Steps are clearly numbered and sequenced, but there are no validation checkpoints or feedback loops. For security-critical operations like token encryption and OAuth flows, there should be explicit verification steps (e.g., verify encryption/decryption roundtrip works, validate OAuth callback registration). The error handling table is helpful but disconnected from the workflow steps. | 2 / 3 |
Progressive Disclosure | Good structure with a clear overview, well-organized steps, a single-level reference to an implementation guide for complete details, an error handling table, and external resource links. Content is appropriately split between the overview skill and the referenced implementation guide. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
70e9fa4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.