analyzing-certificate-transparency-for-phishing
Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-certificate-transparency-for-phishing/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity, naming concrete tools and actions in a well-defined security niche. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The domain-specific terminology serves as effective natural trigger terms for security professionals.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about certificate monitoring, CT logs, domain impersonation detection, or wants to check for suspicious certificates targeting their organization.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: monitoring Certificate Transparency logs, detecting phishing domains, detecting lookalike certificates, and detecting unauthorized certificate issuance. Also names specific tools (crt.sh, Certstream). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (monitor CT logs, detect phishing domains, lookalike certificates, unauthorized issuance) but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Certificate Transparency', 'crt.sh', 'Certstream', 'phishing domains', 'lookalike certificates', 'unauthorized certificate issuance'. These are terms a security professional would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing specifically on Certificate Transparency log monitoring with named tools (crt.sh, Certstream). Very unlikely to conflict with other skills given the specialized domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for CT log monitoring and phishing detection, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (CT log concepts, what crt.sh is, how phishing works via certificates), and the workflow lacks integrated validation checkpoints between steps. The monolithic structure with all code inline would benefit from progressive disclosure via separate reference files.
Suggestions
Remove or drastically reduce the 'Key Concepts' section—Claude already understands CT logs, certificate issuance, and phishing mechanics. Keep only non-obvious implementation details.
Add explicit validation/error handling between workflow steps: check for crt.sh rate limiting (HTTP 429), verify Certstream WebSocket connection, validate JSON responses before processing.
Extract the full class implementations into a referenced Python file and keep only concise usage examples in the SKILL.md body.
Remove the generic 'When to Use' section which adds no actionable value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. The 'Key Concepts' section explains CT logs, phishing detection via CT, and crt.sh in detail—all concepts Claude already knows. The 'When to Use' section is generic filler. The 'Prerequisites' section explains what crt.sh and Certstream are despite already being described elsewhere. The overall content could be cut by 40-50% without losing actionable value. | 1 / 3 |
Actionability | The code examples are fully executable, complete Python classes with concrete implementations. The crt.sh queries, Certstream monitoring, subdomain enumeration, and report generation are all copy-paste ready with specific API endpoints, parameters, and data processing logic. | 3 / 3 |
Workflow Clarity | The four steps are clearly sequenced and logically ordered (historical query → real-time monitoring → enumeration → reporting). However, there are no validation checkpoints between steps—no error handling guidance for when crt.sh returns errors or rate-limits, no verification that Certstream connections succeed, and the 'Validation Criteria' section is a checklist of expected outcomes rather than integrated verification steps. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of code and explanation with no references to separate files for advanced topics. The 200+ lines of code inline could benefit from being split into separate reference files (e.g., a full class implementation file), with the SKILL.md providing a concise overview and quick-start examples. The References section at the end is good but the body content itself lacks progressive structure. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.