CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-active-directory-acl-abuse

Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths

52

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is well-structured with concrete steps and a clear output schema, and its detailed material is sensibly split into bundle files, but it explains concepts Claude already knows, omits validation checkpoints for a batch scan, and fails to point Claude at the existing reference and script files.

Suggestions

Add explicit navigation to the bundle files, e.g. 'Run `python scripts/agent.py --dc-ip ... --domain ...` for the full scan' and 'See references/api-reference.md for SDDL masks, BloodHound cypher queries, and PowerView commands.'

Insert validation/feedback checkpoints into the workflow: verify the LDAP bind succeeds before scanning, confirm objects_scanned is non-zero, and handle empty or unreadable nTSecurityDescriptor values explicitly.

Trim the Overview's definitions of ACL/DACL/ACE and permission glosses, since Claude already knows these concepts.

DimensionReasoningScore

Conciseness

The body is mostly efficient, but the Overview explains concepts Claude already knows (defining ACLs/DACLs/ACEs and glossing GenericAll as 'full control'), so it could be tightened rather than earning the lean level 3.

2 / 3

Actionability

Steps include concrete details (bitmasks, attribute names, ports) and a complete JSON output sample, but the body contains no executable code and never points Claude to the ready-to-run scripts/agent.py, leaving guidance incomplete.

2 / 3

Workflow Clarity

The eight steps are clearly sequenced, but a domain-wide scan is a batch operation with no validation or feedback checkpoints (no bind/connection check, no coverage verification, no error-recovery loop), which per the rubric caps this at 2.

2 / 3

Progressive Disclosure

Detailed material is correctly split into references/api-reference.md and scripts/agent.py, but the SKILL.md body never signals or links these files, so navigation to the one-level-deep references is missing.

2 / 3

Total

8

/

12

Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and well-differentiated, naming concrete actions and a clear AD-ACL niche, but it lacks any explicit 'when to use' trigger guidance and its keywords skew toward technical jargon over natural user phrasing.

Suggestions

Append a 'Use when...' clause with natural trigger phrases, e.g. 'Use when hunting for AD privilege-escalation paths, auditing dangerous ACLs, or preparing BloodHound-style attack-path analysis.'

Add common user-facing terms such as 'BloodHound', 'privilege escalation', and 'dangerous permissions' alongside the technical GenericAll/WriteDACL/WriteOwner names.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('Detect dangerous ACL misconfigurations', 'identify GenericAll, WriteDACL, and WriteOwner abuse paths') tied to a specific domain, matching the multi-action anchor rather than the single-action level 2.

3 / 3

Completeness

Clearly answers 'what' the skill does but provides no 'Use when...' clause or equivalent explicit trigger guidance, which per the rubric caps completeness at 2.

2 / 3

Trigger Term Quality

Includes relevant keywords ('Active Directory', 'ACL misconfigurations', 'abuse paths') but is jargon-heavy (GenericAll, WriteDACL, ldap3) and omits common user-facing variations like 'BloodHound', 'privilege escalation', or 'permissions', so it does not reach full natural-term coverage.

2 / 3

Distinctiveness Conflict Risk

Targets a clear niche (AD ACL abuse via specific named permissions) with distinct triggers unlikely to conflict with other skills.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.