neo4j-security-skill

Programmatic security management in Neo4j — RBAC/ABAC, user lifecycle (CREATE/ALTER/DROP USER), role lifecycle (CREATE/GRANT ROLE/DROP ROLE), privilege grants and denies (GRANT/DENY/REVOKE on graph, database, DBMS), property-level access control, sub-graph access control, SHOW PRIVILEGES inspection, and auth provider config reference (LDAP, OIDC/SSO). Use when an agent needs to manage users, roles, or privileges programmatically via Cypher on the system database. Does NOT handle Cypher query writing — use neo4j-cypher-skill. Does NOT handle cluster ops or backups — use neo4j-cli-tools-skill. Property-level security and ABAC require Enterprise Edition.

1.13x

Quality

96%

Does it follow best practices?

Impact

92%

1.13x

Average score across 3 eval scenarios

Securityby

Risky

Do not use without reviewing

Quality

Content

92%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a high-quality, comprehensive security management skill that excels in actionability and conciseness. The privilege decision table, common role patterns, and verification checklist make it immediately useful. The only notable weakness is the reference to a non-existent bundle file and the length of the document, which could benefit from splitting the auth provider config and privilege reference into separate files.

Suggestions

Create the referenced 'references/privilege-reference.md' file or remove the dangling reference at the bottom of the checklist.

Consider extracting Section 9 (Auth Provider Config Reference) into a separate file since it's operational config rather than Cypher-based security management, which would reduce the main skill's token footprint.

Dimension	Reasoning	Score
Conciseness	The content is lean and efficient throughout. It avoids explaining what Neo4j is, what RBAC means, or how Cypher works. Every section delivers concrete syntax with minimal prose. Comments are inline and terse. The decision table format is an excellent token-efficient way to present privilege mappings.	3 / 3
Actionability	Nearly every section contains copy-paste-ready Cypher commands with realistic examples. The privilege decision table, common role patterns, and SHOW PRIVILEGES patterns are all fully executable. Config snippets for LDAP/OIDC are concrete with placeholder values that are clearly marked.	3 / 3
Workflow Clarity	The MCP Write Gate section establishes a mandatory confirmation checkpoint before any destructive operation. The 'Checklist — New Role Setup' at the end provides a clear sequenced workflow with verification steps (SHOW ROLE ... PRIVILEGES AS COMMANDS, SHOW USER ... PRIVILEGES AS COMMANDS). The DENY-overrides-GRANT pattern is explicitly called out as a critical ordering concern.	3 / 3
Progressive Disclosure	The content is well-structured with clear numbered sections and a logical progression from simple (users) to complex (ABAC). However, it references 'references/privilege-reference.md' at the bottom but no bundle files exist to support this. The skill is quite long (~250 lines) and some sections like the auth provider config reference could potentially be split out, though the inline content is well-organized.	2 / 3
	Total	11 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that thoroughly enumerates specific capabilities, includes rich trigger terms that users would naturally use, explicitly states both what it does and when to use it, and proactively distinguishes itself from related skills with 'Does NOT handle' clauses. The description uses proper third-person voice throughout and provides actionable detail without unnecessary verbosity.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: user lifecycle (CREATE/ALTER/DROP USER), role lifecycle (CREATE/GRANT ROLE/DROP ROLE), privilege grants and denies (GRANT/DENY/REVOKE on graph, database, DBMS), property-level access control, sub-graph access control, SHOW PRIVILEGES inspection, and auth provider config reference (LDAP, OIDC/SSO).	3 / 3
Completeness	Clearly answers both 'what' (programmatic security management with detailed enumeration of capabilities) and 'when' ('Use when an agent needs to manage users, roles, or privileges programmatically via Cypher on the system database'). Also includes explicit negative boundaries distinguishing it from related skills.	3 / 3
Trigger Term Quality	Excellent coverage of natural terms users would say: RBAC, ABAC, users, roles, privileges, GRANT, DENY, REVOKE, LDAP, OIDC/SSO, CREATE USER, DROP USER, Neo4j, Cypher, system database, property-level security, Enterprise Edition. These are terms a user managing Neo4j security would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche (Neo4j security management) and explicit boundary statements that differentiate it from neo4j-cypher-skill and neo4j-cli-tools-skill. The 'Does NOT handle' clauses actively prevent conflict with related skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: neo4j-contrib/neo4j-skills
Commit: 6d44d31

Reviewed: 1 day ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.