recon

Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.

Quality

82%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable reconnaissance skill with concrete commands, a clear phased methodology, and a well-defined output template. Its main weaknesses are the lack of explicit validation checkpoints between phases and some verbosity in explaining concepts Claude already understands (WHOIS, zone transfers, dorking). The authorization check and boundaries sections are well-handled and appropriately prominent.

Suggestions

Add explicit validation/checkpoint steps between phases, e.g., 'Review passive findings and confirm target scope before proceeding to active recon' with criteria for what constitutes sufficient passive recon.

Trim explanatory text for concepts Claude already knows — e.g., remove 'for registrant, nameserver, and creation date info' after the whois command, and 'Identify frameworks, CMS, server software, and JavaScript libraries from public-facing pages' which is self-evident from the heading.

Add a feedback loop for failed or incomplete scans, e.g., 'If nmap returns no results, verify host is up with -Pn, check firewall evasion techniques, and document blocked ports.'

Dimension	Reasoning	Score
Conciseness	Generally efficient but includes some unnecessary framing (e.g., explaining what search engine dorking queries do, the cross-references paragraph is somewhat verbose). The methodology sections are reasonably tight but could be trimmed — Claude already knows what WHOIS is and what zone transfers are.	2 / 3
Actionability	Provides concrete, executable commands throughout — dig, nmap, curl with crt.sh, specific flags and output formats. The output format template is copy-paste ready. Tool suggestions are specific (gobuster, feroxbuster, testssl.sh, sslyze) with clear use cases.	3 / 3
Workflow Clarity	The three-phase methodology provides a clear sequence (passive → active → analysis), and the authorization check is a good upfront gate. However, there are no explicit validation checkpoints between phases — no 'verify passive findings before proceeding to active' step, no feedback loops for when scans fail or return unexpected results.	2 / 3
Progressive Disclosure	The content is well-structured with clear sections and headers, and cross-references to related skills (osint-recon, web-pentest, owasp-audit) are mentioned. However, with no bundle files, all content is inline in a single file. The output format template and some of the detailed methodology could benefit from being split into referenced files for a skill of this length.	2 / 3
	Total	9 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly defines its purpose, scope, and trigger conditions. It uses third person voice, lists concrete actions, provides extensive natural trigger terms, and occupies a distinct niche in security reconnaissance. It follows the pattern of the best examples in the rubric with both a 'what' statement and an explicit 'Use when...' clause.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: 'structured reconnaissance,' 'attack surface enumeration,' and scopes it to 'authorized penetration tests, CTF challenges, and bug bounty programs.' These are concrete, well-defined activities.	3 / 3
Completeness	Clearly answers both 'what' (perform structured reconnaissance and attack surface enumeration for authorized pen tests, CTFs, and bug bounties) and 'when' (explicit 'Use when...' clause with a comprehensive list of trigger terms).	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would say: 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' and 'external footprint.' These are all terms a user would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche focused on reconnaissance and attack surface enumeration in security contexts. The specific trigger terms like 'subdomain enumeration,' 'port scan,' 'fingerprint,' and 'asset discovery' are unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning

	Total	10 / 11 Passed

Repository: briiirussell/cybersecurity-skills
Commit: c9ade03

Reviewed: 27 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.