analyzing-certificate-transparency-for-phishing
Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-certificate-transparency-for-phishing/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and distinctiveness, naming concrete tools and actions in a clear security monitoring niche. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The trigger terms are naturally aligned with what security professionals would say.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about certificate monitoring, CT logs, phishing domain detection, or wants to check crt.sh or Certstream for suspicious certificates.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: monitoring Certificate Transparency logs, detecting phishing domains, detecting lookalike certificates, and detecting unauthorized certificate issuance. Also names specific tools (crt.sh and Certstream). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (monitor CT logs, detect phishing domains, lookalike certs, unauthorized issuance) but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Certificate Transparency', 'crt.sh', 'Certstream', 'phishing domains', 'lookalike certificates', 'unauthorized certificate issuance'. These are terms a security professional would naturally use when needing this capability. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche — Certificate Transparency monitoring with specific tools (crt.sh, Certstream) is unlikely to conflict with other skills. The domain is very specific to certificate security monitoring. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for CT log monitoring and phishing detection, which is its primary strength. However, it is significantly over-verbose with unnecessary concept explanations, generic 'When to Use' sections, and prerequisites that Claude doesn't need. The monolithic structure with all code inline makes it a poor fit for the SKILL.md format, and the workflow lacks explicit validation checkpoints between steps.
Suggestions
Remove the 'Key Concepts' section entirely — Claude already understands CT logs, crt.sh, and phishing detection. Move any truly novel configuration details into code comments.
Remove or drastically shorten the 'When to Use' and 'Prerequisites' sections, which add no actionable value.
Add explicit validation checkpoints between workflow steps, e.g., verify crt.sh returns valid JSON before proceeding, handle rate limiting (HTTP 429), and validate Certstream connection before relying on alerts.
Split the large code blocks into separate bundle files (e.g., ct_monitor.py, certstream_monitor.py) and reference them from SKILL.md with a concise overview of each step.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. The 'Key Concepts' section explains CT logs, crt.sh, and phishing detection concepts that Claude already knows. The 'When to Use' section is generic filler. The 'Prerequisites' section lists obvious requirements. The code examples, while useful, are padded with explanatory comments and print statements that inflate token count significantly. | 1 / 3 |
Actionability | The skill provides fully executable Python code with concrete classes, methods, and usage examples. All four steps contain copy-paste ready code with proper imports, API calls, and data processing logic. The code is complete and functional, not pseudocode. | 3 / 3 |
Workflow Clarity | The four steps are clearly sequenced (query historical → monitor real-time → enumerate subdomains → generate report), but there are no validation checkpoints between steps. No error handling guidance for common failures like crt.sh rate limiting, Certstream connection drops, or malformed API responses. The 'Validation Criteria' section is a checklist of expected outcomes rather than actionable verification steps integrated into the workflow. | 2 / 3 |
Progressive Disclosure | The skill is a monolithic wall of text with ~200+ lines of inline code. There are no bundle files to offload the detailed class implementations, and the References section links only to external sites. The four large code blocks could easily be split into separate files with the SKILL.md providing a concise overview and navigation. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.