evernote-security-basics
Implement security best practices for Evernote integrations. Use when securing API credentials, implementing OAuth securely, or hardening Evernote integrations. Trigger with phrases like "evernote security", "secure evernote", "evernote credentials", "evernote oauth security".
74
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/evernote-pack/skills/evernote-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly defines its niche (Evernote integration security) and provides explicit trigger guidance. Its main weakness is that the specific capabilities listed are somewhat high-level security concepts rather than granular concrete actions. The explicit trigger phrases and 'Use when' clause make it highly functional for skill selection.
Suggestions
Add more specific concrete actions beyond general security terms, e.g., 'rotate API tokens, validate webhook signatures, implement token encryption at rest, configure sandbox vs production credentials'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Evernote security) and some actions like 'securing API credentials', 'implementing OAuth securely', and 'hardening integrations', but these are somewhat general security concepts rather than multiple concrete, specific actions (e.g., no mention of token rotation, rate limiting, encryption at rest, etc.). | 2 / 3 |
Completeness | Clearly answers both 'what' (implement security best practices for Evernote integrations, securing API credentials, implementing OAuth securely, hardening integrations) and 'when' (explicit 'Use when' clause and 'Trigger with phrases like' section with specific triggers). | 3 / 3 |
Trigger Term Quality | Includes explicit natural trigger phrases like 'evernote security', 'secure evernote', 'evernote credentials', 'evernote oauth security' which are terms users would naturally say. Also includes relevant keywords like 'API credentials', 'OAuth', and 'hardening'. | 3 / 3 |
Distinctiveness Conflict Risk | The combination of 'Evernote' + 'security' creates a very specific niche. The triggers are narrowly scoped to Evernote-specific security concerns, making it unlikely to conflict with general security skills or general Evernote skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable security overview for Evernote integrations with good structure and some useful code snippets, but falls short on actionability for several critical steps (encrypted storage, input validation, token lifecycle) that lack executable code. The content is moderately concise but includes some redundancy in the Output and Examples sections. The workflow would benefit from explicit validation checkpoints given the security-sensitive nature of the operations.
Suggestions
Add executable code for Step 3 (AES-256-GCM encryption/decryption of tokens) and Step 4 (ENML input sanitization), as these are critical security operations that need precise implementation.
Add validation checkpoints after encryption (e.g., verify roundtrip decrypt) and after input sanitization (e.g., verify output is valid ENML) to catch errors in security-critical operations.
Remove the descriptive Examples section at the bottom and the redundant Output summary—the steps themselves should serve as the examples, and adding concrete code to the missing steps would be more valuable.
Either provide the referenced 'references/implementation-guide.md' bundle file or inline the most critical implementation details and remove the dangling reference.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary content. The Prerequisites section mentions concepts Claude already knows (basic cryptography concepts, OAuth 1.0a). The Examples section at the end is descriptive rather than adding new information—it restates what was already covered. The Output section is also somewhat redundant, summarizing the steps already listed. | 2 / 3 |
Actionability | Provides some executable code snippets (credential validation, CSRF token, token redaction) but key steps lack concrete implementation—Step 3 (encrypted token storage) has no code despite being a critical security step, Step 4 (input validation) describes constraints but provides no sanitization code, and Step 6 (token lifecycle) is purely descriptive. The Examples section describes scenarios in prose rather than providing executable examples. | 2 / 3 |
Workflow Clarity | Steps are clearly numbered and sequenced, and the error handling table is a useful addition. However, there are no explicit validation checkpoints or feedback loops—for security-critical operations like token encryption and input sanitization, there should be verification steps (e.g., verify decryption roundtrip works, validate ENML output). The workflow is more of a checklist than a guided process with error recovery. | 2 / 3 |
Progressive Disclosure | References an implementation guide at 'references/implementation-guide.md' and a production checklist skill, which is good structure. However, no bundle files are provided, so the referenced implementation guide doesn't exist. The main content includes some material that could be in the referenced guide (the error table, resources) while the implementation guide that should contain the detailed code is missing. The Examples section at the bottom feels misplaced. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.