analyzing-api-gateway-access-logs
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.
74
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-api-gateway-access-logs/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly communicates specific capabilities (parsing logs from named API gateway platforms, detecting named attack types), tools used (pandas), and explicit trigger conditions. It uses proper third-person voice throughout and provides enough detail for Claude to confidently select this skill when API security log analysis is needed while avoiding false matches with general security or log analysis skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parses API Gateway access logs from named platforms (AWS API Gateway, Kong, Nginx), detects specific attack types (BOLA/IDOR, rate limit bypass, credential scanning, injection attempts), and uses pandas for statistical analysis and anomaly detection. | 3 / 3 |
Completeness | Clearly answers both 'what' (parses API Gateway logs to detect specific attack types using pandas for statistical analysis) and 'when' (explicitly states 'Use when investigating API abuse or building API-specific threat detection rules'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would say: 'API Gateway', 'access logs', 'BOLA', 'IDOR', 'rate limit bypass', 'credential scanning', 'injection', 'API abuse', 'threat detection', plus specific platform names (AWS, Kong, Nginx). These are terms security engineers would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: API Gateway log analysis for specific security threats. The combination of named platforms, specific attack types, and the API-specific focus makes it very unlikely to conflict with general log analysis or broader security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point with two executable Python snippets for BOLA and credential scanning detection, but it falls short on three of five promised detection patterns which lack any code. The boilerplate prerequisites and 'When to Use' sections waste tokens without adding actionable value. The absence of a structured investigation workflow with validation steps significantly limits its usefulness for SOC analysts.
Suggestions
Add executable code examples for the remaining detection patterns (rate limit bypass, injection detection, unusual HTTP methods) instead of just listing them as bullet points.
Define a clear step-by-step investigation workflow: load logs → normalize fields → run detection patterns → validate findings → generate report, with explicit validation checkpoints.
Remove or drastically shorten the generic 'When to Use' and 'Prerequisites' sections—Claude doesn't need to be told about 'familiarity with security operations concepts'.
Add threshold tuning guidance (e.g., why 50 unique IDs or 100 auth failures) and false positive handling to make the detection patterns production-ready.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic boilerplate that doesn't add value (e.g., 'Familiarity with security operations concepts', 'Access to a test or lab environment'). The core detection content is reasonably lean, but the surrounding fluff wastes tokens. | 2 / 3 |
Actionability | The BOLA detection and 401 surge examples are concrete and executable, but patterns 2, 4, and 5 from the key detection list are only described without any code or specific commands. The skill promises detection for rate limit bypass, injection attempts, and unusual HTTP methods but delivers no executable guidance for them. | 2 / 3 |
Workflow Clarity | There is no clear multi-step workflow or sequencing for an investigation. The skill lists detection patterns as a numbered list but doesn't define an analysis workflow, validation checkpoints, or what to do with findings. For a security investigation skill involving potentially destructive or high-stakes decisions, this lack of structure is a significant gap. | 1 / 3 |
Progressive Disclosure | The content has some section structure (When to Use, Prerequisites, Instructions, Examples) but inlines everything without references to deeper materials. The detection patterns list could benefit from linking to detailed pattern files, and there's no navigation to advanced topics like tuning thresholds or handling false positives. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.