jwt-token-validator
Jwt Token Validator - Auto-activating skill for Security Fundamentals. Triggers on: jwt token validator, jwt token validator Part of the Security Fundamentals skill category.
34
3%
Does it follow best practices?
Impact
90%
0.98xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/jwt-token-validator/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is extremely weak—it is essentially just a skill name repeated with boilerplate metadata. It provides no concrete actions, no natural trigger terms beyond the skill name, and no explicit guidance on when Claude should select this skill. It reads like an auto-generated stub rather than a functional skill description.
Suggestions
Add concrete actions the skill performs, e.g., 'Decodes JWT tokens, validates signatures, checks expiration claims, and inspects token payloads.'
Add an explicit 'Use when...' clause with natural trigger terms, e.g., 'Use when the user asks to decode, validate, or inspect a JWT, JSON Web Token, bearer token, or needs to verify token signatures and claims.'
Remove the duplicate trigger term ('jwt token validator' is listed twice) and expand with natural variations like 'JWT', 'JSON Web Token', 'decode token', 'verify token', 'token claims'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain ('JWT Token Validator') but describes no concrete actions. There is no mention of what the skill actually does—no verbs like 'validate', 'decode', 'verify signatures', 'check expiration', etc. | 1 / 3 |
Completeness | The description fails to answer both 'what does this do' and 'when should Claude use it'. There is no explicit 'Use when...' clause and no description of capabilities beyond the skill name itself. | 1 / 3 |
Trigger Term Quality | The only trigger terms listed are 'jwt token validator' repeated twice. It misses natural variations users would say such as 'JWT', 'JSON Web Token', 'decode token', 'verify JWT', 'token validation', 'bearer token', etc. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'JWT Token Validator' is fairly specific to a niche domain, which provides some distinctiveness. However, the lack of concrete action descriptions means it could overlap with other security-related skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty template with no actual content about JWT token validation. It contains only generic boilerplate text that repeats the skill name without providing any actionable guidance, code examples, security considerations, or technical substance. It would be entirely useless for guiding Claude to perform JWT validation tasks.
Suggestions
Add concrete, executable code examples for JWT validation (e.g., using PyJWT or jsonwebtoken) including signature verification, expiration checks, and claims validation.
Include a clear workflow: 1) Extract token, 2) Validate signature with correct algorithm, 3) Check expiration/claims, 4) Handle errors — with specific security pitfalls like algorithm confusion attacks.
Add security-specific guidance such as: never use 'none' algorithm, always validate 'alg' header, check issuer/audience claims, and handle key rotation.
Remove all boilerplate sections (Purpose, When to Use, Example Triggers) that contain no technical content and replace with actionable reference material.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and boilerplate. It explains nothing Claude doesn't already know, repeats 'jwt token validator' excessively, and provides zero actual technical content about JWT validation. | 1 / 3 |
Actionability | There is no concrete code, no commands, no specific JWT validation logic, no library recommendations, and no executable guidance whatsoever. It only describes what the skill supposedly does in vague terms. | 1 / 3 |
Workflow Clarity | No workflow, steps, or process is defined. The skill claims to provide 'step-by-step guidance' but contains none. There are no validation checkpoints or any sequenced instructions. | 1 / 3 |
Progressive Disclosure | The content is a flat, monolithic block of generic placeholder text with no references to detailed materials, no links to related files, and no meaningful structural organization beyond boilerplate headings. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
87f14eb
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.