analyzing-api-gateway-access-logs
Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.
74
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-api-gateway-access-logs/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope, lists specific capabilities and attack types it detects, names the platforms it supports, and provides explicit trigger guidance. It uses proper third-person voice throughout and includes domain-specific terminology that security professionals would naturally use when seeking this functionality.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parses API Gateway access logs from named platforms (AWS API Gateway, Kong, Nginx), detects specific attack types (BOLA/IDOR, rate limit bypass, credential scanning, injection attempts), uses pandas for statistical analysis and anomaly detection. | 3 / 3 |
Completeness | Clearly answers both 'what' (parses API Gateway logs to detect specific attack types using pandas for statistical analysis) and 'when' (explicitly states 'Use when investigating API abuse or building API-specific threat detection rules'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would say: 'API Gateway', 'access logs', 'BOLA', 'IDOR', 'rate limit bypass', 'credential scanning', 'injection', 'API abuse', 'threat detection', plus specific platform names (AWS, Kong, Nginx). These are terms security engineers would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining API gateway log analysis with specific security attack detection patterns. The combination of named platforms, specific attack types (BOLA/IDOR), and the API-specific focus makes it very unlikely to conflict with general log analysis or generic security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point for API gateway log analysis with two concrete, executable Python snippets for BOLA and credential scanning detection. However, it suffers from generic boilerplate sections, incomplete coverage of its own listed detection patterns (3 of 5 have no code), and a lack of any structured investigation workflow or validation steps. It reads more like a partial reference than an actionable security analysis procedure.
Suggestions
Add executable code examples for the remaining detection patterns (rate limit bypass, injection detection, unusual HTTP methods) to match the promises in the numbered list.
Structure the content as a sequenced investigation workflow with explicit steps: load logs → run each detection → triage findings → document results, including validation checkpoints.
Remove or significantly trim the generic 'When to Use' and 'Prerequisites' sections—Claude doesn't need to be told about 'familiarity with security operations concepts' or 'appropriate authorization.'
Add concrete output examples showing what suspicious results look like (e.g., sample DataFrame output) so Claude knows what to report to the analyst.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic boilerplate that doesn't add value (e.g., 'Familiarity with security operations concepts', 'Access to a test or lab environment'). The core detection content is reasonably lean, but the surrounding fluff wastes tokens. | 2 / 3 |
Actionability | The BOLA detection and 401 surge examples are concrete and executable, but patterns 2, 4, and 5 from the key detection list are only described without any code or specific commands. The skill promises detection for rate limit bypass, injection attempts, and unusual HTTP methods but delivers no executable guidance for them. | 2 / 3 |
Workflow Clarity | There is no clear multi-step workflow or sequencing for an investigation. The skill lists detection patterns as a numbered list but doesn't sequence them into an analysis workflow, provide validation checkpoints, or describe what to do with findings. For a security analysis task involving potentially destructive or high-stakes decisions, this lack of structure is a significant gap. | 1 / 3 |
Progressive Disclosure | The content has some section structure (When to Use, Prerequisites, Instructions, Examples) but inlines everything without references to deeper materials. The detection patterns list could benefit from linking to detailed pattern-specific guides, and the examples section is thin relative to the five patterns promised. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.