cloudflare-workers-security

Cloudflare Workers security with authentication, CORS, rate limiting, input validation. Use for securing APIs, JWT/API keys, or encountering auth failures, CORS errors, XSS/injection vulnerabilities.

Quality

82%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable security skill with complete, executable code examples covering the major security concerns for Cloudflare Workers. Its main weaknesses are moderate verbosity with overlapping content between the checklist and detailed sections, and a lack of explicit validation/testing workflows for security implementations. The progressive disclosure structure is well-designed in theory but the main file carries too much inline detail that could be offloaded to the referenced files.

Suggestions

Reduce redundancy by trimming the Quick Security Checklist to just the numbered steps without code, since each pattern has a full implementation section below.

Add explicit validation/testing steps after each security pattern (e.g., 'Test with: curl -H "Authorization: Bearer invalid" to verify 401 response').

Move full implementations (JWT verification, API key validation) into the referenced template files and keep only concise snippets in SKILL.md to improve progressive disclosure.

Dimension	Reasoning	Score
Conciseness	The skill is fairly well-structured but includes some redundancy—the Quick Security Checklist overlaps with the detailed sections below (security headers, CORS, auth all appear twice). The Top 10 Security Errors table, while useful, contains some obvious items Claude would already know. The code examples are appropriately sized but the overall document could be tightened.	2 / 3
Actionability	All code examples are fully executable TypeScript with proper imports, error handling, and return types. The JWT verification, API key validation, Zod input validation, security headers, and CORS configuration are all copy-paste ready and complete.	3 / 3
Workflow Clarity	The Quick Security Checklist provides a numbered sequence, but there are no explicit validation checkpoints or feedback loops. For security-critical operations (e.g., implementing auth, configuring CORS), there's no 'verify your setup' step or testing guidance. The skill presents patterns but doesn't guide through a workflow with error recovery.	2 / 3
Progressive Disclosure	The skill references multiple external files (references/, templates/, scripts/) with clear navigation tables, which is good structure. However, no bundle files are provided, so these references are unverifiable. Additionally, the main file is quite long (~200 lines of code) with full implementations inline that could have been delegated to the referenced template files, keeping the SKILL.md as a leaner overview.	2 / 3
	Total	9 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong, well-crafted skill description that concisely covers specific security capabilities within the Cloudflare Workers domain. It includes both a clear 'what' and 'when' clause with natural trigger terms covering common user scenarios like auth failures and CORS errors. The description is distinctive enough to avoid conflicts with other skills while remaining concise.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: authentication, CORS, rate limiting, input validation. Also mentions JWT/API keys, XSS/injection vulnerabilities — these are concrete, actionable security domains.	3 / 3
Completeness	Clearly answers both 'what' (security with authentication, CORS, rate limiting, input validation) and 'when' ('Use for securing APIs, JWT/API keys, or encountering auth failures, CORS errors, XSS/injection vulnerabilities'). The 'Use for...' clause serves as an explicit trigger guidance.	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would actually say: 'auth failures', 'CORS errors', 'XSS', 'injection', 'JWT', 'API keys', 'rate limiting', 'securing APIs'. These cover common variations of security-related queries in the Cloudflare Workers context.	3 / 3
Distinctiveness Conflict Risk	Narrowly scoped to Cloudflare Workers security specifically, with distinct triggers like CORS errors, JWT, rate limiting, and XSS/injection. This is unlikely to conflict with general coding skills or non-security Cloudflare Workers skills.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: secondsky/claude-skills
Commit: 5e92b71

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.