analyzing-active-directory-acl-abuse
Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
60
51%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-active-directory-acl-abuse/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies the domain (Active Directory security), the tool (ldap3), and the exact capabilities (detecting GenericAll, WriteDACL, WriteOwner abuse paths). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about Active Directory security auditing, ACL enumeration, privilege escalation paths, or DACL analysis.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting dangerous ACL misconfigurations, identifying GenericAll, WriteDACL, and WriteOwner abuse paths, using ldap3. These are precise, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (detect dangerous ACL misconfigurations, identify specific abuse paths), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes highly relevant natural keywords a security professional would use: 'ACL misconfigurations', 'Active Directory', 'ldap3', 'GenericAll', 'WriteDACL', 'WriteOwner', 'abuse paths'. These are the exact terms someone working in AD security would mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing specifically on Active Directory ACL misconfigurations with named permission types (GenericAll, WriteDACL, WriteOwner). Very unlikely to conflict with other skills due to the narrow, specialized domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a conceptual guide than an actionable skill file. It explains what to do at each step but provides no executable code despite being a Python-based skill using ldap3. The verbose overview and boilerplate 'When to Use' section waste tokens on information Claude already possesses, while the actual technical guidance that would differentiate this skill — working code for parsing nTSecurityDescriptor, resolving SIDs, and checking access masks — is entirely absent.
Suggestions
Add complete, executable Python code using ldap3 for at least the core operations: connecting to DC, querying nTSecurityDescriptor, parsing the binary descriptor, and checking dangerous access masks against bitmasks.
Remove the verbose overview paragraph explaining what ACLs/DACLs/ACEs are and the generic 'When to Use' section — Claude already knows these concepts.
Add validation checkpoints: verify LDAP connection succeeded, handle objects with missing/unreadable security descriptors, and validate SID resolution before proceeding.
Include the specific access mask constants and bit-checking logic as executable code rather than prose descriptions (e.g., `GENERIC_ALL = 0x10000000; if ace.access_mask & GENERIC_ALL:`).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview explains AD ACLs, DACLs, ACEs, and SDDL at length — concepts Claude already knows. The 'When to Use' section is generic boilerplate that adds no value. The prerequisites section explains what LDAP ports are. Significant token waste throughout. | 1 / 3 |
Actionability | Despite describing an 8-step process involving Python and ldap3, there is zero executable code anywhere in the skill. Every step is a prose description of what to do rather than concrete commands or code snippets. The skill describes rather than instructs. | 1 / 3 |
Workflow Clarity | The 8 steps are logically sequenced and cover the full workflow from connection to report generation. However, there are no validation checkpoints, no error handling guidance, and no feedback loops for when LDAP queries fail or security descriptors can't be parsed. | 2 / 3 |
Progressive Disclosure | The content is structured with clear sections (Overview, When to Use, Prerequisites, Steps, Expected Output), but it's a monolithic document with no references to external files. The overview section contains material that could be trimmed, and the detailed steps could benefit from separation into referenced files. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.