recon
Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.
68
82%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose, scope, and trigger conditions. It uses third person voice, lists concrete actions, provides extensive natural trigger terms, and occupies a distinct niche in security reconnaissance. It follows the pattern of the best examples in the rubric with both a 'what' statement and an explicit 'Use when...' clause.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'structured reconnaissance,' 'attack surface enumeration,' and scopes it to 'authorized penetration tests, CTF challenges, and bug bounty programs.' These are concrete, well-defined activities. | 3 / 3 |
Completeness | Clearly answers both 'what' (perform structured reconnaissance and attack surface enumeration for authorized pen tests, CTFs, and bug bounties) and 'when' (explicit 'Use when...' clause with a comprehensive list of trigger terms). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' and 'external footprint.' These are all terms a user would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused on reconnaissance and attack surface enumeration in security contexts. The specific trigger terms like 'subdomain enumeration,' 'port scan,' 'fingerprint,' and 'asset discovery' are unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable reconnaissance skill with concrete commands, a clear phased methodology, and a well-defined output template. Its main weaknesses are the lack of explicit validation checkpoints between phases and some verbosity in explaining concepts Claude already understands (WHOIS, zone transfers, dorking). The authorization check and boundaries sections are well-handled and appropriately prominent.
Suggestions
Add explicit validation/checkpoint steps between phases, e.g., 'Review passive findings and confirm target scope before proceeding to active recon' with criteria for what constitutes sufficient passive recon.
Trim explanatory text for concepts Claude already knows — e.g., remove 'for registrant, nameserver, and creation date info' after the whois command, and 'Identify frameworks, CMS, server software, and JavaScript libraries from public-facing pages' which is self-evident from the heading.
Add a feedback loop for failed or incomplete scans, e.g., 'If nmap returns no results, verify host is up with -Pn, check firewall evasion techniques, and document blocked ports.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary framing (e.g., explaining what search engine dorking queries do, the cross-references paragraph is somewhat verbose). The methodology sections are reasonably tight but could be trimmed — Claude already knows what WHOIS is and what zone transfers are. | 2 / 3 |
Actionability | Provides concrete, executable commands throughout — dig, nmap, curl with crt.sh, specific flags and output formats. The output format template is copy-paste ready. Tool suggestions are specific (gobuster, feroxbuster, testssl.sh, sslyze) with clear use cases. | 3 / 3 |
Workflow Clarity | The three-phase methodology provides a clear sequence (passive → active → analysis), and the authorization check is a good upfront gate. However, there are no explicit validation checkpoints between phases — no 'verify passive findings before proceeding to active' step, no feedback loops for when scans fail or return unexpected results. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and headers, and cross-references to related skills (osint-recon, web-pentest, owasp-audit) are mentioned. However, with no bundle files, all content is inline in a single file. The output format template and some of the detailed methodology could benefit from being split into referenced files for a skill of this length. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
c9ade03
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.