fireflies-security-basics
Apply Fireflies.ai security best practices for API keys and webhook verification. Use when securing API keys, verifying webhook signatures, or auditing Fireflies.ai security configuration. Trigger with phrases like "fireflies security", "fireflies secrets", "secure fireflies", "fireflies webhook signature", "fireflies HMAC".
80
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/fireflies-pack/skills/fireflies-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description with strong completeness and distinctiveness. It explicitly provides both 'what' and 'when' clauses and includes specific trigger phrases that make it easy to select. The main weakness is that the capability descriptions could be more concrete—listing specific actions rather than general categories like 'security best practices'.
Suggestions
Add more specific concrete actions, e.g., 'rotate API keys, validate HMAC-SHA256 webhook signatures, store secrets in environment variables, audit access permissions' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (Fireflies.ai security) and some actions (securing API keys, verifying webhook signatures, auditing security configuration), but the actions are somewhat general and not deeply specific—e.g., it doesn't describe concrete steps like 'rotate API keys', 'validate HMAC-SHA256 signatures', or 'configure environment variables'. | 2 / 3 |
Completeness | Clearly answers both 'what' (apply security best practices for API keys and webhook verification) and 'when' (explicit 'Use when' clause with specific triggers, plus a 'Trigger with phrases like' section). Both dimensions are explicitly addressed. | 3 / 3 |
Trigger Term Quality | Includes a strong set of natural trigger terms: 'fireflies security', 'fireflies secrets', 'secure fireflies', 'fireflies webhook signature', 'fireflies HMAC'. These cover multiple natural phrasings a user might use, including both general and technical variations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the narrow focus on Fireflies.ai specifically, combined with security-specific triggers like 'fireflies HMAC' and 'fireflies webhook signature'. Unlikely to conflict with generic security skills or other API integration skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with executable code examples in multiple languages and a useful security checklist. Its main weaknesses are the lack of explicit validation/feedback loops in multi-step processes (especially key rotation) and the somewhat monolithic structure that could benefit from splitting detailed code examples into separate files. The dual-language webhook examples add value but also contribute to length.
Suggestions
Add explicit validation checkpoints to the key rotation workflow (e.g., 'Verify new key returns valid response before proceeding to step 3') and include error recovery steps if validation fails.
Consider moving the Python webhook verification example to a separate reference file (e.g., WEBHOOK_PYTHON.md) and linking to it, keeping only one language example inline to reduce length.
Remove the 'Output' section which merely restates what was already covered, and trim the 'Prerequisites' to just the API key requirement.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient but includes some unnecessary sections like the 'Output' summary which just restates what was already covered, and the 'Prerequisites' section mentions things Claude already knows (understanding of environment variables). The Python and TypeScript examples both cover webhook verification which is somewhat redundant, though they serve different language audiences. | 2 / 3 |
Actionability | The skill provides fully executable code examples in both TypeScript and Python for webhook verification, concrete bash commands for key rotation testing, a working pre-commit hook, and specific GraphQL mutations for privacy settings. All code is copy-paste ready with real header names and endpoints. | 3 / 3 |
Workflow Clarity | Steps are clearly numbered and sequenced, but the workflow lacks explicit validation checkpoints and feedback loops. For example, Step 2 (webhook verification) doesn't mention what to do if verification fails beyond returning 401. The key rotation procedure in Step 6 lists steps as comments but doesn't include explicit validation between steps or error recovery guidance. | 2 / 3 |
Progressive Disclosure | The content is reasonably well-structured with clear sections and a security checklist, but it's somewhat monolithic — the webhook verification examples in two languages, privacy level details, and key rotation could be split into separate reference files. The 'Next Steps' reference to 'fireflies-prod-checklist' is good but the main file is dense. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
70e9fa4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.