oauth2-flow-helper
Oauth2 Flow Helper - Auto-activating skill for Security Fundamentals. Triggers on: oauth2 flow helper, oauth2 flow helper Part of the Security Fundamentals skill category.
34
Quality
3%
Does it follow best practices?
Impact
90%
1.00xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/03-security-fundamentals/oauth2-flow-helper/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is severely underdeveloped, essentially just restating the skill name without explaining capabilities or usage triggers. It provides no actionable information for Claude to determine when to select this skill over others. The redundant trigger terms and missing 'Use when...' clause make this ineffective for skill selection.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Implements OAuth2 authorization flows, generates access tokens, debugs authentication errors, validates redirect URIs'
Add a 'Use when...' clause with natural trigger terms like 'OAuth', 'authorization code', 'access token', 'refresh token', 'login flow', 'API authentication'
Remove the redundant trigger term and expand to include variations users would naturally say when needing OAuth2 help
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'Oauth2 Flow Helper' without describing any concrete actions. It doesn't explain what the skill actually does - no verbs describing capabilities like 'validates', 'generates', 'debugs', etc. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name, and has no 'Use when...' clause or equivalent guidance for when Claude should select this skill. Only states it's part of a category. | 1 / 3 |
Trigger Term Quality | The trigger terms are redundant ('oauth2 flow helper' listed twice) and overly specific. Missing natural variations users would say like 'OAuth', 'authorization code', 'access token', 'refresh token', 'authentication flow', etc. | 1 / 3 |
Distinctiveness Conflict Risk | While 'OAuth2' is a specific domain, the lack of detail about what aspects of OAuth2 this handles (implementation, debugging, token management, etc.) could cause overlap with other security-related skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty template that provides zero actionable OAuth2 guidance. It describes capabilities in abstract terms without any concrete implementation details, code examples, or workflow steps. The content would be useless for actually helping with OAuth2 flows.
Suggestions
Add concrete code examples for common OAuth2 flows (authorization code, PKCE, client credentials) with actual HTTP requests and token handling
Define clear step-by-step workflows for each OAuth2 flow type with validation checkpoints (e.g., verify token response, check scopes, handle refresh)
Include specific security considerations: state parameter validation, PKCE code verifier generation, secure token storage patterns
Remove all generic boilerplate ('Provides step-by-step guidance', 'Follows industry best practices') and replace with actual technical content
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that provides no actual OAuth2 knowledge. Phrases like 'Provides step-by-step guidance' and 'Follows industry best practices' are empty filler that Claude already understands conceptually. | 1 / 3 |
Actionability | No concrete code, commands, or specific OAuth2 flow details are provided. The skill describes what it does abstractly ('Generates production-ready code') without actually providing any executable guidance or examples. | 1 / 3 |
Workflow Clarity | No workflow steps are defined. For OAuth2 flows (authorization code, PKCE, token refresh), clear multi-step sequences with validation checkpoints are essential but completely absent. | 1 / 3 |
Progressive Disclosure | The content is a shallow placeholder with no actual substance to organize. There are no references to detailed materials, no code examples to split out, and no structured navigation to deeper content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
994edc4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.