webhook-signature-validator
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill webhook-signature-validatorWebhook Signature Validator - Auto-activating skill for API Integration. Triggers on: webhook signature validator, webhook signature validator Part of the API Integration skill category.
Overall
score
19%
Does it follow best practices?
Validation for skill structure
Activation
7%This description is essentially a placeholder that provides almost no useful information for skill selection. It relies entirely on the skill name without explaining capabilities, use cases, or meaningful trigger terms. The duplicate trigger term suggests auto-generated content without human refinement.
Suggestions
Add specific actions the skill performs, e.g., 'Validates webhook signatures using HMAC-SHA256, verifies payload integrity, checks timestamp freshness to prevent replay attacks'
Include a 'Use when...' clause with natural trigger scenarios, e.g., 'Use when receiving webhooks from services like Stripe, GitHub, or Slack, or when implementing webhook security'
Add varied trigger terms users might naturally say: 'verify webhook', 'check webhook signature', 'HMAC validation', 'webhook authentication', 'payload verification'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description only names the skill ('Webhook Signature Validator') without describing any concrete actions. There's no explanation of what it actually does - no mention of validating signatures, verifying payloads, checking HMAC, or any specific operations. | 1 / 3 |
Completeness | The description fails to answer 'what does this do' beyond the name, and provides no 'when should Claude use it' guidance. The 'Triggers on' section just repeats the name rather than providing meaningful trigger scenarios. | 1 / 3 |
Trigger Term Quality | The trigger terms are just the skill name repeated twice ('webhook signature validator, webhook signature validator'). This is redundant and misses natural variations users might say like 'verify webhook', 'check signature', 'HMAC validation', 'webhook security', or specific platforms like 'Stripe webhook'. | 1 / 3 |
Distinctiveness Conflict Risk | The term 'webhook signature validator' is fairly specific to a niche use case, which provides some distinctiveness. However, without concrete actions described, it could potentially overlap with general API security or authentication skills. | 2 / 3 |
Total | 5 / 12 Passed |
Implementation
0%This skill content is essentially a placeholder template with no actual substance. It contains zero technical information about webhook signature validation - no code examples, no explanation of HMAC verification, no mention of common providers (Stripe, GitHub, etc.), and no security considerations. The content fails on every dimension by providing only meta-descriptions of what a skill should do rather than actual instructions.
Suggestions
Add executable code examples showing webhook signature validation for at least one common provider (e.g., Stripe's HMAC-SHA256 verification)
Include a clear workflow: 1) Extract signature header, 2) Compute expected signature, 3) Use constant-time comparison, 4) Handle validation failures
Provide specific security guidance: timing-safe comparison functions, replay attack prevention with timestamps, and error response best practices
Remove all generic boilerplate text and replace with concrete, actionable technical content
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is padded with generic boilerplate that provides no actual information about webhook signature validation. Phrases like 'provides automated assistance' and 'follows industry best practices' are meaningless filler that waste tokens. | 1 / 3 |
Actionability | There is zero concrete guidance - no code examples, no specific commands, no actual implementation details for validating webhook signatures. The content only describes what the skill claims to do without showing how to do anything. | 1 / 3 |
Workflow Clarity | No workflow is provided whatsoever. Webhook signature validation requires specific steps (extract signature header, compute HMAC, compare securely) but none are mentioned. No validation checkpoints or error handling guidance. | 1 / 3 |
Progressive Disclosure | The content is a flat, uninformative structure with no references to detailed materials, no links to examples, and no organization beyond generic section headers that contain no useful content. | 1 / 3 |
Total | 4 / 12 Passed |
Validation
69%Validation — 11 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
description_trigger_hint | Description may be missing an explicit 'when to use' trigger hint (e.g., 'Use when...') | Warning |
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 11 / 16 Passed | |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.