analyzing-cloud-storage-access-patterns
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
51
56%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-cloud-storage-access-patterns/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly articulates concrete capabilities and covers relevant trigger terms across multiple cloud providers. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical depth and specificity are excellent for distinguishing it from other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about suspicious cloud storage activity, data exfiltration detection, or anomalous access patterns in S3, GCS, or Azure Blob Storage.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting abnormal access patterns, analyzing CloudTrail Data Events/GCS audit logs/Azure Storage Analytics, identifying after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The 'when' is only implied by the described capabilities. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural keywords users would say: AWS S3, GCS, Azure Blob Storage, CloudTrail, data exfiltration, bulk downloads, anomaly detection, access patterns, GetObject spikes, audit logs. These are terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: cloud storage anomaly detection across specific providers (AWS S3, GCS, Azure Blob). The combination of specific log sources, detection techniques, and cloud storage focus makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
29%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill covers an interesting and complex domain but significantly underdelivers on its stated scope—it mentions GCS and Azure in the description but only addresses AWS S3 in the content. The instructions are more of a high-level outline than actionable guidance, lacking executable code for baseline building and anomaly detection. Critical validation steps and error recovery paths are absent for what is inherently a multi-step analytical workflow.
Suggestions
Add executable Python code for at least the baseline-building and anomaly-detection steps (steps 3-4), rather than just describing them in prose.
Include validation checkpoints: e.g., verify CloudTrail Data Events are enabled, confirm baseline has sufficient data points before anomaly scoring, and validate output report schema.
Either provide the referenced 'scripts/agent.py' in the bundle or remove the reference and inline the core logic.
Address GCS and Azure as promised in the description, or narrow the scope to AWS-only. If multi-cloud, use progressive disclosure with separate reference files per cloud provider.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler that Claude already knows (e.g., 'Familiarity with cloud security concepts', 'Access to a test or lab environment'). The core instructions are reasonably lean but the surrounding boilerplate wastes tokens. | 2 / 3 |
Actionability | The skill provides some concrete guidance (thresholds like >100 GetObject calls, 30-day IP history, a CLI command), but lacks executable code for the actual analysis logic. Steps 2-5 are descriptive rather than providing copy-paste-ready code or queries. The referenced script 'scripts/agent.py' doesn't exist in the bundle. | 2 / 3 |
Workflow Clarity | The steps are listed but lack validation checkpoints, error handling, or feedback loops. For a security analysis workflow involving potentially large datasets and anomaly detection, there's no guidance on verifying baseline quality, handling missing logs, or validating findings before reporting. The workflow jumps from 'detect anomalies' to 'generate report' with no intermediate verification. | 1 / 3 |
Progressive Disclosure | The skill references 'scripts/agent.py' but no bundle files exist. There are no references to supporting documentation for GCS or Azure (despite the description mentioning both). All content is in a single file with no structured navigation to deeper materials, and the multi-cloud scope described is barely addressed. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.