CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-cloud-storage-access-patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is concise and well-structured with a usable entry-point command, but several instructional steps are abstract, the workflow lacks validation checkpoints, and the existing api-reference.md bundle is not signaled from the body.

Suggestions

Add a brief inline AWS CLI/boto3 query snippet or a 'See references/api-reference.md for CloudTrail lookup syntax' link so step 2 is executable from the body.

Insert a validation checkpoint in the workflow, e.g. 'Review flagged anomalies against the baseline; exclude known scheduled jobs before reporting' before the final report step.

Link references/api-reference.md explicitly (e.g., under a 'References' section) so the detection-threshold and event-name tables are discoverable.

DimensionReasoningScore

Conciseness

The body is lean and efficient — it never explains concepts Claude already knows (what S3/CloudTrail is) and every section earns its tokens, matching the 'lean and efficient' anchor.

3 / 3

Actionability

It provides one concrete command ('python scripts/agent.py --bucket ... --hours-back 24') and a concrete threshold ('>100 GetObject calls'), but steps 2-3 ('Query CloudTrail', 'Build access baselines') are descriptive rather than executable, with the actual code offloaded to bundle files.

2 / 3

Workflow Clarity

Steps 1-5 are clearly sequenced, but there are no validation or verification checkpoints (e.g., sanity-checking the baseline, confirming findings before reporting) for a batch log-analysis workflow, capping workflow clarity at 2.

2 / 3

Progressive Disclosure

Sections are well-organized, but the bundle file references/api-reference.md is never linked or signaled in the body (only scripts/agent.py is invoked inline), leaving a reference file orphaned rather than clearly navigated.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, distinctive, and rich in natural trigger terms, but it omits any explicit 'Use when...' trigger guidance, which limits its completeness score.

Suggestions

Add an explicit trigger clause such as 'Use when investigating suspected data exfiltration from cloud storage, hunting anomalous S3/GCS/Azure Blob access, or building detection rules for after-hours bulk downloads.'

Surface common user phrasings like 'unusual S3 download', 'spike in GetObject', or 'new IP accessing my bucket' so the skill triggers on natural requests.

DimensionReasoningScore

Specificity

Lists multiple concrete actions such as 'Detect abnormal access patterns', 'analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics', and 'Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration', matching the multiple-specific-actions anchor.

3 / 3

Completeness

It clearly answers 'what does this do' but never states 'when should Claude use it' — there is no 'Use when...' clause or equivalent explicit trigger guidance, which caps completeness at 2 per the judging guidelines.

2 / 3

Trigger Term Quality

Uses natural terms a cloud-security user would actually say when they need this skill ('AWS S3', 'GCS', 'Azure Blob Storage', 'CloudTrail', 'GetObject', 'data exfiltration'), giving good coverage rather than jargon-only phrasing.

3 / 3

Distinctiveness Conflict Risk

The cloud-storage access-anomaly detection niche across S3/GCS/Azure with named log sources is clearly distinct and unlikely to fire for unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.