instantly-security-basics
Apply Instantly.ai security best practices for API keys, scopes, and access control. Use when securing API keys, implementing least-privilege access, or auditing Instantly workspace permissions. Trigger with phrases like "instantly security", "instantly api key safety", "instantly least privilege", "secure instantly", "instantly access control".
59
70%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/saas-packs/instantly-pack/skills/instantly-security-basics/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description that clearly identifies its niche (Instantly.ai security), provides explicit 'Use when' guidance, and includes helpful trigger phrases. Its main weakness is that the capabilities described are somewhat high-level—'apply best practices' is a bit vague compared to listing specific concrete actions like key rotation, scope restriction, or permission auditing workflows.
Suggestions
Replace 'Apply Instantly.ai security best practices' with more specific actions, e.g., 'Rotate and scope API keys, configure least-privilege access roles, audit workspace permissions in Instantly.ai.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | It names the domain (Instantly.ai security) and some actions (API keys, scopes, access control, least-privilege access, auditing permissions), but the actions are somewhat general and not deeply concrete—e.g., it doesn't specify what 'apply best practices' entails in terms of specific steps like rotating keys, revoking tokens, or configuring specific scope settings. | 2 / 3 |
Completeness | The description clearly answers both 'what' (apply Instantly.ai security best practices for API keys, scopes, and access control) and 'when' (securing API keys, implementing least-privilege access, auditing workspace permissions), with explicit trigger phrases provided. | 3 / 3 |
Trigger Term Quality | The description includes a rich set of natural trigger terms: 'instantly security', 'instantly api key safety', 'instantly least privilege', 'secure instantly', 'instantly access control', plus terms like 'API keys', 'scopes', 'workspace permissions'. These cover a good range of phrases a user would naturally say. | 3 / 3 |
Distinctiveness Conflict Risk | The skill is narrowly scoped to Instantly.ai security specifically, combining a particular platform (Instantly) with a specific concern (API key security, access control). This is a clear niche unlikely to conflict with general security skills or other Instantly.ai skills focused on different functionality. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a comprehensive security guide for Instantly.ai integrations with good structural organization and useful reference tables. Its main weaknesses are reliance on undefined helper functions/classes that reduce true executability, some verbosity in explaining concepts Claude already knows, and a monolithic structure that would benefit from splitting detailed examples into supporting files. The content appears to make assumptions about Instantly API endpoints (audit-logs, workspace-members) that may not be accurate.
Suggestions
Define or import the `instantly()` helper function and `InstantlyClient` class used throughout, or replace with raw fetch/axios calls to make examples truly executable.
Remove explanations of basic concepts like 'never hardcode API keys' and .gitignore patterns — Claude already knows these. Focus on Instantly-specific security patterns.
Add explicit validation checkpoints after key creation and webhook setup steps (e.g., 'Verify the new scoped key works by making a test API call before proceeding').
Split detailed code examples (webhook setup, audit logging, key rotation) into separate bundle files and reference them from the main SKILL.md to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some unnecessary verbosity. The secret management section explains basic concepts Claude already knows (e.g., 'NEVER hardcode API keys', .gitignore patterns). The Google Cloud Secret Manager example adds bulk that may not be relevant to all users. Some comments are redundant given the code is self-explanatory. | 2 / 3 |
Actionability | The code examples are mostly concrete and TypeScript-based, but they rely on an undefined `instantly()` helper function and `InstantlyClient` class that are never defined or imported, making them not truly copy-paste executable. The scope patterns (resource:action) and API endpoints appear plausible but may not match actual Instantly API v2 behavior, and the audit-logs endpoint may not exist. | 2 / 3 |
Workflow Clarity | The steps are clearly numbered and sequenced, and the key rotation workflow includes a verification step (test call). However, the overall flow lacks explicit validation checkpoints between steps — for instance, there's no verification after creating scoped keys, no feedback loop for webhook validation failures, and the security checklist at the end serves as a post-hoc review rather than integrated validation gates. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear headers and a logical progression from scopes to secrets to rotation to webhooks. However, it's quite long (~180 lines of substantive content) and could benefit from splitting detailed code examples into separate reference files. The reference to 'instantly-prod-checklist' at the end is good but there are no bundle files to support it, and the inline content is heavy for a SKILL.md overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
d41e58e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.