firecrawl-security-basics
Apply Firecrawl security best practices for API key management and webhook verification. Use when securing API keys, implementing webhook signature validation, or auditing Firecrawl security configuration. Trigger with phrases like "firecrawl security", "firecrawl secrets", "secure firecrawl", "firecrawl API key security", "firecrawl webhook signature".
68
83%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description with strong completeness and distinctiveness. It explicitly provides 'Use when' and 'Trigger with' clauses with natural keywords. The main weakness is that the capability description could be more concrete—'apply best practices' is somewhat vague compared to listing specific actions like 'rotate API keys, validate webhook HMAC signatures, configure environment variables'.
Suggestions
Replace 'Apply Firecrawl security best practices' with more concrete actions, e.g., 'Rotate and store Firecrawl API keys securely, validate webhook HMAC signatures, configure environment variables for secrets management.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Firecrawl security) and some actions (API key management, webhook verification), but doesn't list multiple concrete actions in detail—'apply best practices' is somewhat vague, and 'auditing security configuration' is broad. | 2 / 3 |
Completeness | Clearly answers both 'what' (API key management, webhook signature validation, security configuration auditing) and 'when' (explicit 'Use when' clause and 'Trigger with phrases' section providing concrete triggers). | 3 / 3 |
Trigger Term Quality | Includes explicit trigger phrases like 'firecrawl security', 'firecrawl secrets', 'secure firecrawl', 'firecrawl API key security', 'firecrawl webhook signature'—these are natural terms a user would say and cover good variations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific to Firecrawl security concerns—API key management and webhook verification for Firecrawl specifically. Unlikely to conflict with generic security skills or other Firecrawl skills due to the narrow security focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with excellent executable code examples and a well-sequenced workflow. Its main weakness is moderate verbosity — some explanatory text and prerequisites could be trimmed — and the content could benefit from splitting detailed implementations (webhook verification, sanitization) into separate files. The security checklist and error handling table are strong additions that serve as practical validation aids.
Suggestions
Remove the Prerequisites section and inline comments explaining obvious concepts (e.g., 'Scraped web content may contain PII') to improve conciseness.
Consider extracting the webhook verification and content sanitization code into separate referenced files to improve progressive disclosure and keep the main skill as a concise overview.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient with good code examples, but includes some unnecessary content like the Prerequisites section (Claude knows what env vars are), explanatory comments that are obvious (e.g., 'Scraped web content may contain PII, scripts, or malicious data'), and the 'Understanding of environment variables' prerequisite. The overview also explains what fc- keys grant access to, which is somewhat redundant. | 2 / 3 |
Actionability | Excellent executable code throughout — complete TypeScript webhook verification with timing-safe comparison, bash commands for gitignore and key rotation, concrete sanitization function, and specific CLI commands for GitHub secrets. All code is copy-paste ready with real imports and proper error handling. | 3 / 3 |
Workflow Clarity | Clear 5-step sequence from key storage through rotation and sanitization. Key rotation includes explicit verification step (curl test before removing old key). Webhook handling includes rejection flow for invalid signatures. The security checklist serves as a validation checkpoint. Error handling table provides clear detection-to-mitigation flows. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections, but it's fairly long (~120 lines of content) and could benefit from splitting the webhook verification and content sanitization into separate referenced files. The reference to 'firecrawl-prod-checklist' in Next Steps is good but there are no bundle files to support it. External resource links are helpful but the main content is monolithic. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
a04d1a2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.