exa-enterprise-rbac
Manage Exa API key scoping, team access controls, and domain restrictions. Use when implementing multi-key access control, configuring per-team search limits, or setting up organization-level Exa governance. Trigger with phrases like "exa access control", "exa RBAC", "exa enterprise", "exa team keys", "exa permissions".
84
82%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its niche around Exa API access control and governance. It excels in all dimensions: specific capabilities are listed, natural trigger terms are provided, both 'what' and 'when' are explicitly addressed, and the Exa-specific focus makes it highly distinctive. The use of third person voice is correct throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'API key scoping', 'team access controls', 'domain restrictions', 'multi-key access control', 'per-team search limits', 'organization-level Exa governance'. These are concrete, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (manage API key scoping, team access controls, domain restrictions) and 'when' (explicit 'Use when' clause with specific scenarios, plus a 'Trigger with phrases' section listing exact trigger terms). | 3 / 3 |
Trigger Term Quality | Includes a rich set of natural trigger terms: 'exa access control', 'exa RBAC', 'exa enterprise', 'exa team keys', 'exa permissions'. These cover multiple natural phrasings a user might employ, including both technical (RBAC) and common terms (permissions, team keys). | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — scoped specifically to Exa API governance, access controls, and team key management. The 'Exa' prefix and specific domain (RBAC, key scoping, domain restrictions) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable skill with well-structured executable code covering key isolation, permission enforcement, domain restrictions, usage tracking, and key rotation. Its main weaknesses are the length of inline code that could benefit from progressive disclosure into separate files, and the lack of explicit end-to-end validation steps for verifying the RBAC setup works correctly before production use.
Suggestions
Add an explicit validation/testing step after setting up permissions—e.g., a test script that verifies each role can only access its allowed search types and domains, with expected pass/fail outputs.
Move the detailed TypeScript implementations (Steps 2-4) into a referenced file like `exa-rbac-implementation.ts` and keep SKILL.md as a concise overview with key concepts and quick-start code.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary verbosity in code comments and could be tightened. The inline comments explaining obvious things (e.g., 'Track usage per API key / role for budget enforcement') and the prerequisite section add minor bloat, though overall it's not egregiously padded. | 2 / 3 |
Actionability | The skill provides fully executable TypeScript code with concrete type definitions, role configurations, validation logic, domain enforcement, usage tracking, and a bash key rotation script. All code is copy-paste ready with specific examples of role permissions and API calls. | 3 / 3 |
Workflow Clarity | The steps are clearly sequenced (key architecture → permissions → domain restrictions → usage tracking → key rotation), and the key rotation includes a verification step. However, there's no explicit validation/feedback loop for the main permission enforcement workflow—no guidance on testing the RBAC setup end-to-end or verifying that domain restrictions are working correctly before deploying. | 2 / 3 |
Progressive Disclosure | The skill references external resources (exa-policy-guardrails, exa-multi-env-setup) and links to documentation, which is good. However, the main content is quite long with all code inline—the detailed TypeScript implementations for permissions, domain enforcement, and usage tracking could be split into referenced files, keeping SKILL.md as a concise overview. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
70e9fa4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.