analyzing-active-directory-acl-abuse
Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
48
51%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-active-directory-acl-abuse/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies the domain (Active Directory security), the tool (ldap3), and the exact capabilities (detecting GenericAll, WriteDACL, WriteOwner abuse paths). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about Active Directory security auditing, ACL misconfigurations, privilege escalation paths, or DACL abuse in AD environments.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting dangerous ACL misconfigurations, identifying GenericAll, WriteDACL, and WriteOwner abuse paths, and specifies the tool (ldap3) and domain (Active Directory). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (detect dangerous ACL misconfigurations, identify abuse paths), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes highly specific natural keywords a security professional would use: 'ACL misconfigurations', 'Active Directory', 'ldap3', 'GenericAll', 'WriteDACL', 'WriteOwner', 'abuse paths'. These are precise terms users in this domain would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a very clear niche: Active Directory ACL security auditing with specific permission types (GenericAll, WriteDACL, WriteOwner). Unlikely to conflict with other skills due to the narrow, specialized domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a conceptual guide than an actionable skill for Claude. It describes what to do at each step but provides no executable Python code using ldap3, which is critical for a skill centered on a specific library. The verbose explanations of AD concepts waste tokens on knowledge Claude already possesses.
Suggestions
Add complete, executable Python code examples for each major step—especially LDAP connection with ldap3, querying nTSecurityDescriptor, parsing the binary descriptor, and checking access masks against dangerous permission bitmasks.
Remove the explanatory overview of what ACLs/DACLs/ACEs are and the generic 'When to Use' boilerplate—Claude already knows these concepts.
Add validation checkpoints: e.g., verify LDAP bind succeeded before querying, confirm nTSecurityDescriptor was returned (it requires specific controls), and handle SID resolution failures.
Include the specific ldap3 controls needed to retrieve nTSecurityDescriptor (LDAP_SERVER_SD_FLAGS_OID) as this is a non-obvious requirement that causes silent failures.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph explains what ACLs, DACLs, and ACEs are—concepts Claude already knows. The 'When to Use' section is generic boilerplate that adds no value. The 'Prerequisites' section explains obvious things like needing network connectivity. Significant token waste throughout. | 1 / 3 |
Actionability | Despite describing an 8-step process involving Python and ldap3, there is zero executable code anywhere in the skill. Every step is a prose description of what to do rather than concrete, copy-paste-ready code. The bitmask values are mentioned inline but not in usable code form. | 1 / 3 |
Workflow Clarity | The 8 steps are logically sequenced and cover the full workflow from connection to report generation. However, there are no validation checkpoints, no error handling guidance, and no feedback loops for when LDAP queries fail or security descriptors can't be parsed. | 2 / 3 |
Progressive Disclosure | The content is a single monolithic file with no references to supporting files, but it's not excessively long. The structure uses headers and numbered steps which helps, but the overview and prerequisites sections contain content that could be trimmed rather than split out. No bundle files exist to reference. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.