webhook-signature-validator
Webhook Signature Validator - Auto-activating skill for API Integration. Triggers on: webhook signature validator, webhook signature validator Part of the API Integration skill category.
36
3%
Does it follow best practices?
Impact
100%
1.00xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./planned-skills/generated/16-api-integration/webhook-signature-validator/SKILL.mdQuality
Discovery
7%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is essentially a placeholder that repeats the skill name as its own trigger term and provides no substantive information about capabilities or usage scenarios. It lacks concrete actions, meaningful trigger terms, and explicit guidance on when Claude should select this skill. The only slight positive is that the domain ('webhook signature validator') is inherently somewhat niche.
Suggestions
Add specific concrete actions the skill performs, e.g., 'Validates webhook payload signatures using HMAC-SHA256, verifies request authenticity, compares computed hashes against signature headers for providers like Stripe, GitHub, and Slack.'
Add an explicit 'Use when...' clause with natural trigger scenarios, e.g., 'Use when the user needs to verify webhook signatures, validate incoming webhook requests, check HMAC hashes, or secure webhook endpoints.'
Replace the duplicated trigger term with diverse natural keywords users would say, such as 'webhook verification', 'HMAC signature', 'payload integrity', 'webhook secret', 'signature header validation', and specific provider names.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description only names the skill ('Webhook Signature Validator') and its category ('API Integration') but does not describe any concrete actions like validating HMAC signatures, verifying payloads, comparing hashes, or handling specific webhook providers. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name itself, and the 'when' clause is just a redundant repetition of the skill name rather than meaningful trigger guidance. There is no explicit 'Use when...' clause with real scenarios. | 1 / 3 |
Trigger Term Quality | The trigger terms are just the skill name repeated twice ('webhook signature validator, webhook signature validator'). It misses natural user terms like 'verify webhook', 'HMAC', 'webhook secret', 'signature verification', 'payload validation', or specific providers like Stripe/GitHub webhooks. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'webhook signature validator' is fairly specific to a niche domain, which provides some natural distinctiveness. However, the lack of concrete detail about what it does versus other API/webhook-related skills means it could still overlap with general API integration or webhook handling skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is an empty shell with no actual content about webhook signature validation. It contains only boilerplate meta-descriptions that repeat the skill name without providing any technical guidance, code examples, or actionable instructions. It fails on every dimension because it teaches Claude nothing it doesn't already know.
Suggestions
Add concrete, executable code examples for webhook signature validation (e.g., HMAC-SHA256 verification in Python/Node.js with proper timing-safe comparison)
Include a clear workflow: extract signature header → compute expected signature → timing-safe compare → return 200/401, with error handling for missing headers or invalid payloads
Add provider-specific examples (Stripe, GitHub, Slack) showing their different signature schemes and header names
Remove all boilerplate meta-descriptions ('This skill provides automated assistance...') and replace with actual technical content
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is entirely filler and boilerplate. It explains nothing Claude doesn't already know, repeats 'webhook signature validator' excessively, and provides zero actual technical content about webhook signature validation. | 1 / 3 |
Actionability | There is no concrete code, no commands, no examples of actual webhook signature validation (e.g., HMAC-SHA256 verification, header extraction, timing-safe comparison). The content only describes what the skill could do without providing any executable guidance. | 1 / 3 |
Workflow Clarity | No workflow steps are defined. There is no sequence for validating webhook signatures, no validation checkpoints, and no error handling guidance. The 'step-by-step guidance' mentioned in capabilities is never actually provided. | 1 / 3 |
Progressive Disclosure | The content is a flat, repetitive structure with no meaningful organization. There are no references to detailed materials, no code examples to organize, and the sections are purely meta-descriptions rather than actual instructional content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
81%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 9 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 9 / 11 Passed | |
- Commit
b8a3b3e
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.