analyzing-active-directory-acl-abuse
Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
60
51%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-active-directory-acl-abuse/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies its domain (Active Directory security) and concrete capabilities (detecting ACL misconfigurations, identifying specific abuse paths). Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical terminology is appropriate for the target audience and provides excellent distinctiveness.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about Active Directory security auditing, ACL permissions review, privilege escalation paths, or AD misconfiguration detection.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting dangerous ACL misconfigurations, identifying GenericAll, WriteDACL, and WriteOwner abuse paths, using ldap3. These are precise, actionable capabilities. | 3 / 3 |
Completeness | The 'what' is clearly stated (detect ACL misconfigurations, identify abuse paths), but there is no explicit 'Use when...' clause or equivalent trigger guidance. Per the rubric, a missing 'Use when...' clause caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a security professional would use: 'ACL misconfigurations', 'Active Directory', 'ldap3', 'GenericAll', 'WriteDACL', 'WriteOwner', 'abuse paths'. These are the exact terms someone working in AD security would mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche targeting Active Directory ACL security auditing with specific permission types (GenericAll, WriteDACL, WriteOwner) and a specific tool (ldap3). Very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a conceptual guide than an actionable skill for Claude. It explains AD ACL concepts Claude already knows, provides no executable code despite being a Python-based skill, and lacks validation steps for a multi-step process involving LDAP queries and binary parsing. The expected output JSON is a nice touch but insufficient without the code to produce it.
Suggestions
Replace the prose steps with complete, executable Python code using ldap3 — including connection setup, nTSecurityDescriptor querying, SDDL parsing, and the dangerous permission check logic with actual bitmask comparisons.
Remove the overview paragraph explaining what ACLs, DACLs, and ACEs are — Claude knows this. Start directly with the task and code.
Add validation checkpoints: verify LDAP connection succeeded, confirm nTSecurityDescriptor was returned (requires specific LDAP controls), and validate parsed SDDL before proceeding.
Replace the generic 'When to Use' section with a concise one-liner or remove it entirely, as it adds no actionable information.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview explains AD ACLs, DACLs, ACEs, and SDDL at length — concepts Claude already knows. The 'When to Use' section is generic boilerplate that adds no value. The prerequisites section explains what LDAP ports are. Significant token waste throughout. | 1 / 3 |
Actionability | Despite describing a Python-based workflow using ldap3, there is zero executable code anywhere in the skill. All eight steps are prose descriptions of what to do rather than concrete, copy-paste-ready implementations. The skill describes rather than instructs. | 1 / 3 |
Workflow Clarity | The eight steps are logically sequenced and cover the full pipeline from connection to report generation. However, there are no validation checkpoints, no error handling guidance, and no feedback loops for common failure modes like authentication errors or permission issues when reading nTSecurityDescriptor. | 2 / 3 |
Progressive Disclosure | The content is structured with clear sections (Overview, Steps, Expected Output), but it's a monolithic document with no references to external files for detailed content like SDDL parsing logic, well-known SID mappings, or extended rights GUIDs. The inline content that could be separated (like the full bitmask reference) is mixed with the workflow. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.