gamma-security-basics
Implement security best practices for Gamma integration. Use when securing API keys, implementing access controls, or auditing Gamma security configuration. Trigger with phrases like "gamma security", "gamma API key security", "gamma secure", "gamma credentials", "gamma access control".
74
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/gamma-pack/skills/gamma-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a reasonably well-structured skill description with strong completeness and trigger term coverage. Its main weakness is that the specific capabilities listed are somewhat generic security concepts (API keys, access controls, auditing) rather than deeply concrete actions. The explicit trigger phrases and 'Use when' clause make it effective for skill selection.
Suggestions
Add more specific concrete actions beyond generic security concepts, e.g., 'rotate API keys, configure IP allowlists, set up role-based access, review audit logs for Gamma endpoints'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (Gamma security) and mentions some actions like 'securing API keys', 'implementing access controls', and 'auditing security configuration', but these are somewhat generic security concepts rather than highly specific concrete actions (e.g., rotating keys, setting up RBAC, configuring TLS). | 2 / 3 |
Completeness | The description clearly answers both 'what' (implement security best practices for Gamma integration including API keys, access controls, auditing) and 'when' (explicit 'Use when' clause and 'Trigger with phrases' section providing clear activation guidance). | 3 / 3 |
Trigger Term Quality | The description explicitly lists natural trigger phrases like 'gamma security', 'gamma API key security', 'gamma secure', 'gamma credentials', 'gamma access control'. These are terms users would naturally use when seeking help with Gamma security topics, providing good keyword coverage. | 3 / 3 |
Distinctiveness Conflict Risk | The description is narrowly scoped to Gamma-specific security, which is a clear niche. The combination of 'Gamma' + 'security' makes it unlikely to conflict with general security skills or other Gamma-related skills focused on non-security topics. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable security practices overview with concrete TypeScript examples, a useful checklist, and an error remediation table. However, it suffers from speculative API usage (fabricated SDK features like 'scopes' and 'interceptors'), incomplete workflows (key rotation is just comments), and missing validation checkpoints for security-critical operations. The content would benefit from being grounded in actual Gamma API capabilities and adding explicit verification steps.
Suggestions
Replace speculative/fabricated API examples (scopes, interceptors) with verified Gamma SDK patterns, or clearly mark them as hypothetical patterns to adapt
Make the key rotation workflow (Step 2) actionable with real commands and explicit validation checkpoints (e.g., 'verify new key works by calling GET /me before revoking old key')
Split detailed code examples (request signing, audit logging) into separate referenced files to keep SKILL.md as a concise overview
Add explicit verification steps after each security configuration change (e.g., 'Test: confirm env var is loaded by logging key prefix only')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary elements — the 'Prerequisites' section adds little value, and some code comments are explanatory where Claude wouldn't need them. The 'Request Signing' section is speculative ('if supported') which wastes tokens on uncertain functionality. | 2 / 3 |
Actionability | Code examples are concrete and mostly executable, but several are speculative or pseudocode-like (e.g., the rotation script is just comments, the scoped API keys use hypothetical 'scopes' parameter, and the interceptors API is assumed). The Gamma SDK API surface appears fabricated rather than documented from real APIs. | 2 / 3 |
Workflow Clarity | Steps are sequenced logically and the security checklist provides a good summary, but the key rotation workflow (Step 2) is just comments rather than executable steps with validation. There are no explicit validation checkpoints — for security operations involving credential rotation and access control changes, feedback loops and verification steps are notably absent. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and a checklist, but it's fairly long for a single file with no bundle support. The error handling table and detailed code examples for request signing and audit logging could be split into referenced files. The 'Next Steps' reference to gamma-prod-checklist is good but there are no other cross-references to manage the content volume. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
3a2d27d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.