oauth-implementation
OAuth 2.0 and OpenID Connect authentication with secure flows. Use for third-party integrations, SSO systems, token-based API access, or encountering authorization code flow, PKCE, token refresh, scope management errors.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description with excellent trigger term coverage and clear 'when to use' guidance. Its main weakness is that it describes the domain and topics rather than listing concrete actions the skill performs (e.g., 'implement OAuth flows', 'debug token refresh errors', 'configure PKCE'). The distinctiveness is strong due to the specialized authentication domain.
Suggestions
Replace the abstract opening with concrete actions, e.g., 'Implements OAuth 2.0 authorization code flows, configures PKCE, manages token refresh logic, and debugs scope management errors.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (OAuth 2.0, OpenID Connect) and mentions some specific concepts (authorization code flow, PKCE, token refresh, scope management), but doesn't list concrete actions the skill performs—it describes topics rather than actions like 'implement', 'debug', 'configure'. | 2 / 3 |
Completeness | Clearly answers both 'what' (OAuth 2.0 and OpenID Connect authentication with secure flows) and 'when' (Use for third-party integrations, SSO systems, token-based API access, or encountering specific error types). The 'Use for...' clause serves as an explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually use: 'OAuth', 'OpenID Connect', 'SSO', 'PKCE', 'token refresh', 'scope management', 'authorization code flow', 'third-party integrations', and 'token-based API access'. Good coverage of common variations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche around OAuth/OIDC authentication. The specific trigger terms like 'PKCE', 'authorization code flow', 'token refresh', and 'scope management' make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong skill that efficiently covers OAuth 2.0 flows with actionable, executable code and good progressive disclosure. Its main weakness is the lack of explicit validation/error-handling steps in the token exchange workflow—critical for a security-focused skill. The security requirements and anti-patterns sections are well-structured and valuable.
Suggestions
Add explicit validation steps after token exchange: check HTTP status, validate ID token signature/claims (e.g., verify iss, aud, exp), and show error recovery flow
Include a brief token refresh code example since 'Refresh Token' is listed as a flow but has no implementation
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. It uses a table for flow selection, provides only necessary code, and lists security requirements as bullet points without explaining what OAuth is or how HTTP works. Every section earns its place. | 3 / 3 |
Actionability | Provides fully executable Express.js code for the authorization code flow and PKCE generation. The code includes state validation, proper token exchange, and uses real patterns (URLSearchParams, fetch, crypto) that are copy-paste ready with minimal configuration. | 3 / 3 |
Workflow Clarity | The authorization code flow has clear Step 1 and Step 2 comments, but lacks explicit validation checkpoints after token exchange (e.g., validating the ID token signature, checking token response for errors, verifying claims). For a security-critical flow, missing error handling and validation feedback loops is a notable gap. | 2 / 3 |
Progressive Disclosure | The skill provides a concise overview with the core JavaScript implementation inline, then cleanly references additional Python/Java implementations via a single-level-deep link to references/python-java.md. Content is well-organized with clear section headers and appropriate splitting. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
88da5ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.