neo4j-security-skill
Programmatic security management in Neo4j — RBAC/ABAC, user lifecycle (CREATE/ALTER/DROP USER), role lifecycle (CREATE/GRANT ROLE/DROP ROLE), privilege grants and denies (GRANT/DENY/REVOKE on graph, database, DBMS), property-level access control, sub-graph access control, SHOW PRIVILEGES inspection, and auth provider config reference (LDAP, OIDC/SSO). Use when an agent needs to manage users, roles, or privileges programmatically via Cypher on the system database. Does NOT handle Cypher query writing — use neo4j-cypher-skill. Does NOT handle cluster ops or backups — use neo4j-cli-tools-skill. Property-level security and ABAC require Enterprise Edition.
95
96%
Does it follow best practices?
Impact
91%
1.05xAverage score across 3 eval scenarios
Risky
Do not use without reviewing
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that thoroughly enumerates specific capabilities, includes strong natural trigger terms, explicitly states when to use it, and proactively distinguishes itself from related skills with 'Does NOT handle' clauses. The description is information-dense without being padded, uses proper third-person voice, and includes helpful context about Enterprise Edition requirements.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: RBAC/ABAC, user lifecycle (CREATE/ALTER/DROP USER), role lifecycle (CREATE/GRANT ROLE/DROP ROLE), privilege grants/denies (GRANT/DENY/REVOKE on graph, database, DBMS), property-level access control, sub-graph access control, SHOW PRIVILEGES inspection, and auth provider config reference (LDAP, OIDC/SSO). | 3 / 3 |
Completeness | Clearly answers both 'what' (programmatic security management with detailed enumeration of capabilities) and 'when' ('Use when an agent needs to manage users, roles, or privileges programmatically via Cypher on the system database'). Also includes explicit negative boundaries directing to other skills. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user or agent would use: 'users', 'roles', 'privileges', 'RBAC', 'ABAC', 'GRANT', 'DENY', 'REVOKE', 'LDAP', 'OIDC/SSO', 'Neo4j', 'security', 'access control', 'Cypher', 'system database'. These are the exact terms someone managing Neo4j security would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche (Neo4j security management) and explicit boundary statements that differentiate it from neo4j-cypher-skill and neo4j-cli-tools-skill. The negative 'Does NOT handle' clauses actively prevent conflicts with related skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality, comprehensive security management skill that provides excellent actionable guidance with concrete Cypher examples for every operation. The MCP Write Gate and end-of-file checklist demonstrate strong safety awareness and workflow discipline. The main weakness is that the skill is quite long and could benefit from splitting reference-heavy sections (privilege decision table, auth provider configs, built-in roles) into separate files to improve progressive disclosure and reduce token cost.
Suggestions
Consider moving the Auth Provider Config Reference (Section 9) and the Privilege Decision Table (Section 3) into separate referenced files to reduce the main skill's token footprint while keeping the core workflow lean.
The referenced file 'references/privilege-reference.md' is not provided in the bundle — either create it or remove the dangling reference.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient throughout. It avoids explaining what Neo4j is, what RBAC means, or how Cypher works — it assumes Claude knows these things. Every section delivers concrete syntax with minimal prose. Comments are inline and terse. | 3 / 3 |
Actionability | Nearly every section provides copy-paste-ready Cypher commands with realistic examples. The privilege decision table is an excellent quick-reference. Config snippets for LDAP/OIDC are concrete with placeholder patterns. Parameterized password examples show best practices. | 3 / 3 |
Workflow Clarity | The MCP Write Gate section establishes a mandatory confirmation checkpoint before any destructive operation. The 'Checklist — New Role Setup' at the end provides a clear multi-step workflow with verification steps (SHOW ROLE/USER PRIVILEGES). The DENY-overrides-GRANT sequencing is explicitly called out. For a security management skill, the validation and safety gates are well-placed. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and a logical progression from users → roles → privileges → advanced features. However, it's quite long (~250 lines of dense content) and only references one external file (references/privilege-reference.md) which isn't provided in the bundle. Some sections like the auth provider config reference could be split into separate files to reduce the main skill's token footprint. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- neo4j-contrib/neo4j-skills
- Commit
66ed0e1
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.