CtrlK
BlogDocsLog inGet started
Tessl Logo

firecrawl-security-basics

Apply Firecrawl security best practices for API key management and webhook verification. Use when securing API keys, implementing webhook signature validation, or auditing Firecrawl security configuration. Trigger with phrases like "firecrawl security", "firecrawl secrets", "secure firecrawl", "firecrawl API key security", "firecrawl webhook signature".

67

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-organized security guide whose executable code is its main strength. It loses points for an inline-duplicated checklist, missing inline retry loops around the destructive key-rotation step, and a single-file structure with no progressive disclosure to supporting reference files.

Suggestions

Add an explicit error-recovery feedback loop to Step 4 (key rotation): after 'Verify new key works', state what to do if verification fails (keep the old key, debug the new key, re-verify) before ever removing or revoking the old key.

Trim redundancy between the 'Security Checklist' and the step bodies — either remove checklist items that merely restate steps, or reframe the checklist as a quick-reference that points back to each step instead of repeating it.

Split advanced or lengthy material (e.g., the scraped-content sanitization rules and the error-handling table) into a one-level-deep reference file such as references/ERROR_HANDLING.md, keeping SKILL.md a lean overview with clearly signaled links.

DimensionReasoningScore

Conciseness

Mostly efficient and code-driven with no padded concept explanations, but it could be tightened: the 'Security Checklist' duplicates the five steps already covered, and comments like 'Timing-safe comparison prevents timing attacks' and 'Validate key exists before creating client' restate what the code already shows, so it is not the level-3 'every token earns its place'.

2 / 3

Actionability

Provides fully executable, copy-paste-ready code and commands throughout — bash for .env/.gitignore, a complete HMAC webhook verifier with an Express handler, `gh secret set` commands, a KEY_MAP loader, a curl-based rotation check, and a sanitization function — matching the level-3 'fully executable code/commands; copy-paste ready' rather than level-2's pseudocode/incomplete anchor.

3 / 3

Workflow Clarity

The five steps are clearly sequenced and validation checkpoints exist (key-prefix check, signature rejection, 'Verify new key works' before removing the old key), but explicit error-recovery feedback loops for the destructive rotation operation are not spelled out inline — the rubric emphasizes validate→fix→retry loops for destructive ops, capping this at 2 rather than 3.

2 / 3

Progressive Disclosure

Well-organized into clear sections with no nested references and only a clearly signaled Next-Steps pointer to another skill, but all detail lives inline in a single ~160-line SKILL.md with no one-level-deep reference files to split out advanced material, matching level-2's 'some structure but content that should be separate is inline' rather than the level-3 'overview + signaled references' ideal.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, specific description that clearly states the skill's purpose, when to use it, and natural trigger phrases, all scoped to a distinct Firecrawl-security niche. Minor 'best practices' phrasing aside, every dimension lands at the top of the scale.

DimensionReasoningScore

Specificity

Names multiple concrete actions — 'API key management and webhook verification', 'securing API keys, implementing webhook signature validation, or auditing Firecrawl security configuration' — matching the 'lists multiple specific concrete actions' anchor; the mild 'best practices' framing is outweighed by these specifics, so it is not the level-2 'some actions, not comprehensive'.

3 / 3

Completeness

Clearly answers both what ('Apply Firecrawl security best practices for API key management and webhook verification') and when ('Use when securing API keys... or auditing Firecrawl security configuration') with an explicit 'Use when' clause plus trigger phrases, so it is not capped at 2.

3 / 3

Trigger Term Quality

Explicitly lists natural trigger phrases users would say — 'firecrawl security', 'firecrawl secrets', 'secure firecrawl', 'firecrawl API key security', 'firecrawl webhook signature' — giving good coverage of natural variations, matching the level-3 anchor rather than level-2's partial coverage.

3 / 3

Distinctiveness Conflict Risk

Targets a clear niche — Firecrawl-specific security — with triggers all scoped to 'firecrawl', making overlap with other skills unlikely; this matches the level-3 'clear niche with distinct triggers' rather than level-2's possible overlap.

3 / 3

Total

12

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

allowed_tools_field

'allowed-tools' contains unusual tool name(s)

Warning

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

14

/

16

Passed

Repository
jeremylongshore/claude-code-plugins-plus-skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.