auth-testing
Test OAuth2 token refresh and session expiry locally. Use when working on auth, tokens, SSO, OIDC, or session management features.
85
77%
Does it follow best practices?
Impact
100%
1.11xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/auth-testing/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its niche (local OAuth2/session testing) and provides an explicit 'Use when' clause with strong trigger terms. The main weakness is that the 'what' portion could be more specific about the concrete actions performed (e.g., mock token endpoints, simulate expired sessions, test refresh flows). Overall it's a strong description that would perform well in skill selection.
Suggestions
Expand the 'what' portion with more concrete actions, e.g., 'Test OAuth2 token refresh and session expiry locally by mocking token endpoints, simulating expired sessions, and validating refresh flows.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (OAuth2/auth) and two specific actions (token refresh, session expiry testing), but doesn't list comprehensive concrete actions like specific test scenarios, mock server setup, or token validation steps. | 2 / 3 |
Completeness | Clearly answers both 'what' (test OAuth2 token refresh and session expiry locally) and 'when' (explicit 'Use when' clause listing auth, tokens, SSO, OIDC, or session management features). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'auth', 'tokens', 'SSO', 'OIDC', 'session management', 'OAuth2', 'token refresh', 'session expiry'. These are all terms developers naturally use when working in this domain. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on local testing of OAuth2 token refresh and session expiry. The combination of OAuth2, OIDC, SSO, and local testing creates a clear, narrow scope unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable skill for testing OAuth2 flows locally with concrete commands, config paths, and testing scenarios. Its main weaknesses are moderate verbosity in the explanatory sections (especially 'Max Session Duration' use cases and mechanism explanations) and missing validation/error-recovery steps in the testing workflows. The content would benefit from trimming explanatory prose and adding explicit checkpoints for verifying each test scenario succeeded.
Suggestions
Add explicit validation checkpoints to each testing scenario (e.g., 'Verify: you should see a 200 response with new token in Network tab' or 'If redirect doesn't occur, check auth logs for...')
Move the 'Max Session Duration' deep-dive (How it works, Use cases, Difference from token expiry) into a separate reference file and link to it, keeping only the config snippet inline
Trim the 'Use cases' bullet list under Max Session Duration — Claude can infer production vs testing duration choices from the config examples already provided
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient but includes some sections that could be tightened. The 'Max Session Duration' section with 'How it works' and 'Use cases' explains concepts Claude can infer, and the 'Difference from token expiry' table partially duplicates the 'Key Relationships' section. However, the configuration tables and testing scenarios are well-targeted. | 2 / 3 |
Actionability | The skill provides concrete, executable commands (pnpm dev:with-auth, curl endpoints), specific config file paths and values, exact YAML/TypeScript snippets to modify, and step-by-step testing procedures with expected observable outcomes. Everything is copy-paste ready. | 3 / 3 |
Workflow Clarity | The testing scenarios have clear sequential steps with expected outcomes, but they lack explicit validation checkpoints and error recovery. For example, there's no guidance on what to do if the /auth/refresh request doesn't appear, or if the redirect doesn't happen. For auth testing involving session manipulation, verification steps would strengthen the workflows. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and tables, but it's somewhat monolithic at ~130 lines. The 'Max Session Duration' deep-dive and debugging sections could be split into separate reference files. The 'Related Files' section at the end is helpful but the overall document tries to serve as both quick-start and comprehensive reference. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- temporalio/ui
- Commit
01161e2
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.