cloudflare-workers-security
Cloudflare Workers security with authentication, CORS, rate limiting, input validation. Use for securing APIs, JWT/API keys, or encountering auth failures, CORS errors, XSS/injection vulnerabilities.
89
86%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, well-crafted description that concisely covers specific security capabilities within the Cloudflare Workers domain. It includes both a clear 'what' and 'when' clause with natural trigger terms that users would realistically use. The description is distinctive enough to avoid conflicts with other skills while being comprehensive in its coverage of security-related scenarios.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authentication, CORS, rate limiting, input validation. Also mentions JWT/API keys, XSS/injection vulnerabilities — these are concrete, actionable security domains. | 3 / 3 |
Completeness | Clearly answers both 'what' (security with authentication, CORS, rate limiting, input validation) and 'when' ('Use for securing APIs, JWT/API keys, or encountering auth failures, CORS errors, XSS/injection vulnerabilities'). The 'Use for...' clause serves as an explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'auth failures', 'CORS errors', 'XSS', 'injection', 'JWT', 'API keys', 'rate limiting', 'securing APIs'. These cover common variations of security-related queries in the Cloudflare Workers context. | 3 / 3 |
Distinctiveness Conflict Risk | Narrowly scoped to Cloudflare Workers security specifically, with distinct triggers like CORS errors, JWT, rate limiting, and XSS/injection. The combination of 'Cloudflare Workers' + 'security' creates a clear niche unlikely to conflict with general web security or general Cloudflare skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable security skill with excellent executable code examples and good progressive disclosure through references and templates. Its main weaknesses are moderate verbosity (some content Claude already knows, like basic security principles) and lack of explicit validation/verification steps in the workflows. The document would benefit from trimming obvious security advice and adding verification checkpoints.
Suggestions
Add verification steps after key security implementations (e.g., 'Test JWT verification with an expired token to confirm rejection', 'Verify CORS by sending a request from a non-allowed origin')
Trim the 'Critical Rules' section and Top 10 table — much of this is general security knowledge Claude already has; focus on Cloudflare Workers-specific gotchas instead
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some content Claude already knows (e.g., basic security concepts like 'Never trust client input', explaining what clickjacking is via comments). The Top 10 Security Errors table, while useful, contains some obvious entries. The code examples are mostly lean, but the overall document is long for what could be more tightly organized with references. | 2 / 3 |
Actionability | Excellent executable code examples throughout — JWT verification, API key validation, Zod input validation, security headers, and CORS configuration are all copy-paste ready TypeScript. Specific commands and concrete patterns are provided rather than abstract descriptions. | 3 / 3 |
Workflow Clarity | The Quick Security Checklist provides a numbered sequence, but there are no explicit validation checkpoints or feedback loops. For security-critical operations (e.g., implementing auth, configuring CORS), there's no 'verify your setup' step or error recovery guidance. The skill presents patterns but not a clear workflow for applying them safely. | 2 / 3 |
Progressive Disclosure | Well-structured with a quick checklist overview, then detailed sections, and clear pointers to reference files, templates, and scripts. The 'When to Load References' section provides excellent one-level-deep navigation with clear signals for when to consult each resource. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
88da5ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.