Install command
Provided
TypeScript-first validation skill using Zod — define schemas once, get runtime checks and inferred types for APIs, forms, and data pipelines.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are comparatively strong, but you should still validate source, privacy posture, and package provenance for your environment.
0
96
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as first-party.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
Package marked verified.
Checksum metadata
SHA-256 hash is present.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
4 to clear
Platforms
6 listed
Difficulty
100/100
Adoption plan
Current risk score 0/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
Package verification/checksum metadata is available.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (6/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is present.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
6/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is available.
rollout
Install payload is available.
No required blockers for this timeline preset.
Prerequisite readiness
4 prerequisites to line up before setup.
Safety & privacy surface
2 safety and 2 privacy notes across 3 risk areas. Review closely: credentials & tokens, network access, third-party handling.
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
import { z } from 'zod';
const passwordSchema = z
.string()
.min(8, 'Password must be at least 8 characters')
.regex(/[0-9]/, 'Password must contain a number')
.regex(/[^a-zA-Z0-9]/, 'Password must contain a special character');
const userRegistrationSchema = z.object({
email: z.string().email('Invalid email address'),
password: passwordSchema,
confirmPassword: z.string(),
age: z.number().int().min(18, 'Must be 18 or older').max(100),
phone: z.string().regex(/^\\+?[1-9]\\d{1,14}$/).optional(),
acceptTerms: z.literal(true, {
errorMap: () => ({ message: 'You must accept the terms' }),
}),
}).refine((data) => data.password === data.confirmPassword, {
message: 'Passwords do not match',
path: ['confirmPassword'],
});
type UserRegistration = z.infer<typeof userRegistrationSchema>;
// Usage with safeParse for error handling
const result = userRegistrationSchema.safeParse({
email: 'user@example.com',
password: 'SecureP@ss1',
confirmPassword: 'SecureP@ss1',
age: 25,
acceptTerms: true,
});
if (!result.success) {
console.error(result.error.format());
} else {
console.log('Valid user:', result.data);
}Zod solves a problem TypeScript alone cannot: your types are erased at runtime, so an API response or user form typed as User might contain arbitrary garbage at the boundary. Zod lets you declare the expected shape once as a schema, validate incoming data against it, and derive the TypeScript type automatically via z.infer<typeof schema> — no separate interface to keep in sync, no runtime/compile-time mismatch.
The most important design decision in Zod is .parse() vs .safeParse(). .parse() throws a ZodError on failure, which suits internal data you control. .safeParse() returns { success: true, data } or { success: false, error }, which is safer at external boundaries (API bodies, query parameters, environment variables, form inputs).
With this skill loaded, ask Claude to:
z.infer<typeof schema>.refine() (e.g., confirm-password must equal password) or .superRefine() for multiple co-located error pathsz.discriminatedUnion('kind', [...]) when object shape depends on a type tag fieldzodResolver, into tRPC as input validators, or into Express/Fastify as request-body validators.transform() — for example, coercing ISO strings into Date objectsPrompt: "Create a Zod schema for user registration: email, password (min 8 chars, requires a digit and special character), optional phone, and a confirmPassword that must match password."
Claude will build a reusable passwordSchema, compose the outer object schema with .refine() for the cross-field confirm check, and export the inferred UserRegistration type.
Prompt: "Build Zod schemas for a paginated list endpoint: query params (page, limit, optional search string), and a JSON body with nested filters. Use safeParse and return HTTP 400 on validation failure."
Claude will write separate schemas for query and body, call schema.safeParse(req.query), and shape the 400 error response from error.format().
Prompt: "Validate process.env at boot with Zod. Required: DATABASE_URL (URL), JWT_SECRET (non-empty string), PORT (coerced to number). Optional: LOG_LEVEL defaulting to 'info'."
Claude will use z.string().url(), z.coerce.number(), and .default(), calling .parse(process.env) so the app fails fast on misconfiguration before any requests are served.
Prompt: "My API returns { status: 'ok', data: User } or { status: 'error', code: number, message: string }. Write a Zod discriminated union and handle both branches with narrowed types."
Claude will use z.discriminatedUnion('status', [...]) — faster and more precise than z.union() when a shared tag field identifies the variant.
type User = z.infer<typeof userSchema> — delete any manually maintained interface that duplicates the schema.safeParse() at boundaries: API routes, form submissions, env vars — anywhere data enters from the outside.min(8, 'Must be at least 8 characters') or { message: '...' } — clearer than Zod's generic defaults.parseAsync(): if your .refine() callback is async, swap to safeParseAsync() or the result will be a Promise, not a value.extend() adds fields to an existing schema; .pick() and .omit() create focused subsets without duplicationz.lazy(() => nodeSchema) to handle tree structures that would otherwise cause circular reference errorsType inference not working — ensure TypeScript 5.0+ and strict: true in tsconfig.json. Use z.infer<typeof schema> rather than a manually written interface; mismatches disappear when the type is derived rather than declared.
Custom error messages not showing — pass the message as the second argument to the validator: .min(8, 'Too short') or { message: 'Too short' }. Call error.format() to see the nested structure per field, or error.flatten() for a flat { fieldErrors, formErrors } map.
Async validation silently ignored — .refine(async fn) and .transform(async fn) require the async parse path (parseAsync / safeParseAsync). Calling synchronous .parse() with an async refinement resolves the promise inside the schema as a truthy value rather than awaiting it.
Union errors are confusing — switch from z.union() to z.discriminatedUnion('typeField', [...]) when objects share a common tag field; error messages narrow to the correct branch instead of listing all variants.
Optional vs nullable confusion — .optional() accepts undefined; .nullable() accepts null; .nullish() accepts both. They are not interchangeable. Use .default(value) to supply a fallback when the field is absent rather than making it optional and handling undefined downstream.
Zod Schema Validation Skill side by side with 2 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
2 trust signals differ across this comparison (Package trust, Source provenance).
| Field | TypeScript-first validation skill using Zod — define schemas once, get runtime checks and inferred types for APIs, forms, and data pipelines. Open dossier | Build end-to-end type-safe APIs with tRPC and TypeScript, eliminating code generation and runtime bloat for full-stack applications. tRPC provides end-to-end type safety without code generation, schema stitching, or serialization layers - delivering a lighter, more intuitive developer experience than REST or GraphQL. Open dossier | Compile JSON Schema (draft-07, 2019-09, 2020-12) into fast validators with Ajv, report every failure by its instancePath, and use Ajv options to coerce types, apply defaults, and remove unknown properties so incoming JSON is both validated and normalized. Open dossier |
|---|---|---|---|
| Next steps | |||
| Trust | |||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trustDiffers | Package verified2025-10-16 | Package verified2025-10-16 | Package verified2025-10-15 |
| Source provenanceDiffers | Source-backed | No submission link | No submission link |
| Submitter | — | — | — |
| Install risk | Review first | Low risk | Low risk |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — |
| Category | skills | skills | skills |
| Source | first-party | first-party | first-party |
| Author | JSONbored | JSONbored | JSONbored |
| Added | 2025-10-16 | 2025-10-16 | 2025-10-15 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI |
| Source repo | — | — | — |
| Safety notes | ✓Install Zod with `npm install zod` (or your package manager's equivalent) before use. The library has zero runtime dependencies and does not execute network requests on its own. Async refinements (`.refine(async fn)`) may call external services if your own callback does — review any async refinement for unintended network or database access. | ✓Installs server/client packages (@trpc/server, @trpc/client, zod) and runs an API server; review procedures, auth middleware, and exposed routers before deploying. | ✓This skill installs npm packages (ajv, zod, json-schema-to-typescript) and reads and writes local files — JSON schemas, data, migration output, and generated TypeScript definitions. Ajv type coercion and default-filling mutate the input data, and migration scripts overwrite documents; keep backups and re-validate each step, as the skill's troubleshooting notes recommend. |
| Privacy notes | ✓Zod validates data in-process only and does not transmit your schemas, inputs, or error output to any external service. Schemas that validate emails, passwords, or personal data remain entirely local; no input leaves your runtime environment through Zod itself. | ✓tRPC procedures read and persist user-supplied input and use auth context/tokens; validate inputs with zod, keep secrets in environment variables, and review what each procedure stores or logs. | ✓Validation, normalization, and migration process your JSON data and schema files locally; nothing leaves the machine beyond the npm package downloads from the registry. |
| Prerequisites |
|
|
|
| Install | | | |
| Config | — | — | — |
| Citations | |||
| Claim | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.