oauth-implementation

OAuth 2.0 and OpenID Connect authentication with secure flows. Use for third-party integrations, SSO systems, token-based API access, or encountering authorization code flow, PKCE, token refresh, scope management errors.

Quality

84%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

79%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured OAuth skill that provides concrete, executable code examples and efficient use of tokens. Its main weaknesses are the lack of explicit validation/error-handling checkpoints after the token exchange step and the inability to verify the referenced bundle file. The security guidance is practical and appropriately presented as constraints rather than explanations.

Suggestions

Add explicit validation after token exchange: check response status, validate JWT signature against JWKS endpoint, verify claims (iss, aud, exp)

Add error recovery guidance for common failure scenarios (expired code, invalid redirect URI, network failures during token exchange)

Dimension	Reasoning	Score
Conciseness	The content is lean and efficient. The flow comparison table is compact, code examples are directly relevant, and security requirements are presented as concise bullet lists without explaining what OAuth is or how HTTP works.	3 / 3
Actionability	Provides fully executable Express.js code for the authorization code flow with state validation, a concrete PKCE implementation, and specific security requirements. The code is copy-paste ready with clear environment variable references.	3 / 3
Workflow Clarity	The authorization code flow has clear Step 1 and Step 2 labels with state validation, but lacks explicit validation checkpoints after token exchange (e.g., verifying token response status, validating JWT signature/claims) and no error recovery guidance for failed token exchanges.	2 / 3
Progressive Disclosure	Good structure with a clear overview and reference to python-java.md for additional implementations, but the bundle has no files provided, so the referenced path cannot be verified. The main content is well-organized but the 'Never Do' section could be merged with 'Security Requirements' for tighter organization.	2 / 3
	Total	10 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a solid description with excellent trigger term coverage and clear 'when to use' guidance. Its main weakness is that it describes the domain and topics rather than listing concrete actions the skill performs (e.g., 'implement OAuth flows', 'debug token refresh issues', 'configure PKCE'). The distinctiveness is strong due to the specialized authentication domain.

Suggestions

Replace the abstract opening with concrete actions: e.g., 'Implements OAuth 2.0 authorization code flows, configures PKCE, manages token refresh logic, and debugs scope management errors' instead of 'OAuth 2.0 and OpenID Connect authentication with secure flows'.

Dimension	Reasoning	Score
Specificity	Names the domain (OAuth 2.0, OpenID Connect) and mentions some specific concepts (authorization code flow, PKCE, token refresh, scope management), but doesn't list concrete actions the skill performs—it describes topics rather than actions like 'implement', 'debug', 'configure'.	2 / 3
Completeness	Clearly answers both 'what' (OAuth 2.0 and OpenID Connect authentication with secure flows) and 'when' (explicit 'Use for' clause listing third-party integrations, SSO systems, token-based API access, and specific error scenarios).	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would actually use: 'OAuth', 'OpenID Connect', 'SSO', 'PKCE', 'token refresh', 'scope management', 'authorization code flow', 'third-party integrations', 'token-based API access'. Good coverage of both high-level and specific terms.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche around OAuth/OIDC authentication. The specific trigger terms like 'PKCE', 'authorization code flow', 'token refresh', and 'scope management' make it very unlikely to conflict with other skills.	3 / 3
	Total	11 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: secondsky/claude-skills
Commit: 5e92b71

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.