exa-security-basics
Apply Exa security best practices for secrets and access control. Use when securing API keys, implementing least privilege access, or auditing Exa security configuration. Trigger with phrases like "exa security", "exa secrets", "secure exa", "exa API key security".
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill exa-security-basics81
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description with explicit 'Use when' and 'Trigger with' clauses that clearly define its scope. The Exa-specific focus provides strong distinctiveness. The main weakness is that the specific actions could be more concrete - listing actual security operations rather than general security concepts would strengthen specificity.
Suggestions
Add more concrete actions like 'rotate API keys', 'configure access scopes', 'review permission grants', or 'set up key expiration' to improve specificity
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Exa security) and mentions some actions ('securing API keys', 'implementing least privilege access', 'auditing Exa security configuration'), but these are somewhat general security concepts rather than highly specific concrete actions like 'rotate keys', 'configure RBAC', or 'generate audit reports'. | 2 / 3 |
Completeness | Clearly answers both what (apply Exa security best practices for secrets and access control) and when (securing API keys, implementing least privilege, auditing security config) with explicit 'Use when' and 'Trigger with' clauses providing clear guidance. | 3 / 3 |
Trigger Term Quality | Explicitly lists natural trigger phrases users would say: 'exa security', 'exa secrets', 'secure exa', 'exa API key security'. Also includes relevant terms like 'API keys', 'least privilege access', and 'security configuration' that users might naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific to 'Exa' platform security, which creates a clear niche. The combination of 'Exa' + security-specific terms makes it unlikely to conflict with general security skills or other platform-specific skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid security skill with excellent actionability through concrete code examples and good organization. The main weaknesses are some unnecessary explanatory content (Prerequisites) and missing validation checkpoints for the overall security configuration workflow. The content would benefit from trimming redundant sections and adding explicit verification steps.
Suggestions
Remove the Prerequisites section - Claude already understands environment variables and SDK installation
Add a validation step after configuring .gitignore to verify secrets aren't tracked (e.g., `git status --ignored`)
Add explicit verification that scopes are correctly applied after Step 3, such as a test command or dashboard check
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary elements like the Prerequisites section (Claude knows what environment variables are) and the verbose audit logging example that could be trimmed. The tables and checklists are appropriately concise. | 2 / 3 |
Actionability | Provides fully executable code examples including bash commands, TypeScript patterns, and copy-paste ready snippets. The webhook verification, service account pattern, and audit logging examples are complete and immediately usable. | 3 / 3 |
Workflow Clarity | Secret rotation steps are clearly sequenced with verification, but the overall document lacks explicit validation checkpoints for the security setup process. No feedback loop for verifying that .gitignore is working or that scopes are correctly applied. | 2 / 3 |
Progressive Disclosure | Well-organized with clear sections, appropriate use of tables for quick reference, and external links to detailed documentation. The checklist provides a good summary, and the 'Next Steps' section points to related content without deep nesting. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
75%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 12 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 12 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.