active-directory-attacks
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", ...
Install with Tessl CLI
npx tessl i github:boisenoise/skills-collections --skill active-directory-attacks72
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
44%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description excels at trigger term coverage with specific Active Directory attack terminology but critically fails to explain what the skill actually does. It reads as a list of when-to-use triggers without any capability description, making it impossible for Claude to understand what actions or outputs this skill provides.
Suggestions
Add a capability statement before the trigger list, e.g., 'Performs Active Directory penetration testing including domain enumeration, credential extraction, privilege escalation, and lateral movement techniques.'
Restructure to lead with 'what it does' followed by 'Use when...' clause, e.g., 'Executes AD attack chains, generates BloodHound queries, and crafts exploitation commands. Use when the user asks to...'
Include specific outputs or deliverables the skill produces, such as 'generates attack commands', 'creates enumeration scripts', or 'provides exploitation guidance'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists attack technique names but does not describe any concrete actions the skill performs. It only states when to use it, not what it actually does (e.g., 'enumerate domain users', 'extract credentials', 'generate attack paths'). | 1 / 3 |
Completeness | The description only addresses 'when' (trigger terms) but completely omits 'what' the skill does. There is no explanation of capabilities, actions, or outputs this skill provides. | 1 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'attack Active Directory', 'exploit AD', 'Kerberoasting', 'DCSync', 'pass-the-hash', 'BloodHound enumeration', 'Golden Ticket' are all specific, recognizable terms security professionals would use. | 3 / 3 |
Distinctiveness Conflict Risk | The Active Directory attack terminology is highly specific and niche. Terms like 'Kerberoasting', 'DCSync', 'Golden Ticket' are unlikely to conflict with other skills due to their specialized security domain. | 3 / 3 |
Total | 8 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality, comprehensive AD attack skill that excels in actionability and conciseness. The content is dense with executable commands and assumes appropriate expertise. The main weakness is the lack of explicit validation steps and feedback loops for multi-step attack chains, which is important given the destructive nature of some operations like ZeroLogon.
Suggestions
Add explicit validation checkpoints after critical steps (e.g., 'Verify ticket was created: klist' after Golden Ticket generation)
Include feedback loops for error recovery in attack chains (e.g., 'If DCSync fails with access denied, verify user has Replicating Directory Changes rights with: Get-ADUser -Properties * | Select replication*')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is highly efficient with minimal explanatory fluff. It assumes Claude knows what AD, Kerberos, and these tools are, jumping straight to executable commands without explaining basic concepts. | 3 / 3 |
Actionability | Excellent actionability with copy-paste ready commands throughout. Every attack technique includes specific, executable code examples with real tool syntax and parameters. | 3 / 3 |
Workflow Clarity | While the core workflow has numbered steps and the examples show attack chains, there are no explicit validation checkpoints or feedback loops for error recovery. For destructive operations like ZeroLogon, the restore step is mentioned but validation of success is missing. | 2 / 3 |
Progressive Disclosure | Well-structured with clear sections, a quick reference table for common operations, and appropriate delegation to external file (references/advanced-attacks.md) for advanced techniques. Navigation is straightforward with one-level-deep references. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.