CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-campaign-attribution-evidence

Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr

55

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body delivers strong, executable code and a clear four-step sequence, but it duplicates the description in the Overview and keeps substantive material inline instead of routing to the provided reference/script/asset bundle. Validation is present as a checklist rather than integrated workflow checkpoints.

Suggestions

Replace the verbatim Overview duplicate with pointers to the bundle: link references/api-reference.md for STIX/ATT&CK queries, references/workflows.md for the end-to-end flow, and assets/template.md for report output.

Integrate validation as inline checkpoints (e.g., after Step 1 verify all six evidence categories are populated; after Step 3 confirm ATT&CK technique IDs resolve) instead of a detached list.

Tighten the Overview and Key Concepts to remove restated description content and keep only what is not already obvious to a threat-intelligence analyst.

DimensionReasoningScore

Conciseness

The body is largely lean and code-forward without explaining basics Claude already knows, but the Overview paragraph restates the frontmatter description verbatim and the Key Concepts/Confidence Levels sections add explanatory padding that could be tightened, fitting "mostly efficient but could be tightened" rather than fully lean.

2 / 3

Actionability

Provides complete, executable Python (AttributionAnalyzer class, analyze_infrastructure_overlap, compare_campaign_ttps, generate_attribution_report) that is copy-paste ready with real imports and concrete return structures, matching the fully-executable anchor.

3 / 3

Workflow Clarity

Steps 1–4 are clearly sequenced, but validation lives in a separate "Validation Criteria" list rather than as inline checkpoints/feedback loops within the workflow, leaving the sequence present but checkpoints implicit.

2 / 3

Progressive Disclosure

The body is well-sectioned but keeps detailed API/code content inline and never links to the existing bundle (references/api-reference.md, standards.md, workflows.md, scripts/agent.py, scripts/process.py, assets/template.md); the References section only lists external URLs, so structure exists while content that should be split out and navigated is not signaled.

2 / 3

Total

9

/

12

Passed

Description

60%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description names a strong, specific set of attribution-analysis actions but is truncated mid-sentence and lacks any explicit "Use when..." trigger guidance. Trigger terms lean technical rather than natural, limiting when users would naturally invoke it.

Suggestions

Restore the truncated description so it ends with a complete sentence rather than cutting off at "weighting attr".

Append an explicit trigger clause, e.g. "Use when investigating which threat actor is behind a campaign, attributing an intrusion, or correlating TTPs/infrastructure across operations."

Add natural user-facing terms ("who is behind this attack", "attributing a breach", "threat actor identification") alongside the current jargon.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — "collecting and weighting attribution indicators", "analyzing infrastructure overlaps, TTP consistency, malware code similarities, operational timing patterns, and language artifacts", and "build confidence-weighted attribution assessments" — matching the multiple-specific-actions anchor.

3 / 3

Completeness

It clearly answers "what" the skill does but provides no "Use when..." clause or equivalent explicit trigger guidance, which the guidelines cap at 2; additionally the field is truncated mid-word ("collecting and weighting attr"), weakening the statement.

2 / 3

Trigger Term Quality

Contains some natural terms ("campaign attribution", "threat actor") but is dominated by technical jargon ("Diamond Model and ACH", "TTP consistency", "language artifacts") with no common user-facing variations, so it sits at the "some relevant keywords but missing common variations" level rather than full coverage.

2 / 3

Distinctiveness Conflict Risk

Campaign attribution is a recognizable niche, but the absence of explicit trigger phrasing and overlap with broader threat-intelligence/CTI skills keeps it at "somewhat specific but could still overlap" rather than a clearly distinct, low-conflict trigger set.

2 / 3

Total

9

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.