analyzing-cloud-storage-access-patterns
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
67
60%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-cloud-storage-access-patterns/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly articulates what the skill does with concrete actions, specific cloud providers, log sources, and detection techniques. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The trigger terms are excellent and domain-appropriate, and the skill occupies a very distinct niche.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about suspicious cloud storage activity, S3 access anomalies, data exfiltration detection, or cloud storage security monitoring.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting abnormal access patterns, analyzing CloudTrail Data Events/GCS audit logs/Azure Storage Analytics, identifying after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The 'when' is only implied by the described capabilities. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural keywords users would say: AWS S3, GCS, Azure Blob Storage, CloudTrail, data exfiltration, bulk downloads, anomaly detection, unusual API calls, GetObject spikes, after-hours access, new IP addresses. These are terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: cloud storage anomaly detection across specific providers (AWS S3, GCS, Azure Blob). The combination of specific log sources, detection patterns, and cloud storage focus makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level framework for S3 access pattern analysis with useful concrete thresholds and a CLI example, but falls short on executable code, validation steps, and multi-cloud coverage despite the description promising GCS and Azure support. The generic prerequisites and 'When to Use' sections waste tokens on information Claude already knows, and the workflow lacks the feedback loops critical for security investigation tasks.
Suggestions
Add executable Python code for at least one core analysis step (e.g., querying CloudTrail and computing baselines) rather than just describing the steps abstractly.
Add validation checkpoints to the workflow: verify CloudTrail event coverage, validate baseline statistical significance, and include false-positive triage guidance.
Remove or drastically shorten the 'When to Use' and 'Prerequisites' sections—Claude knows when security analysis is appropriate and what Python requires.
Either add concrete guidance for GCS and Azure analysis (as promised in the description) or scope the skill explicitly to AWS S3 only to avoid misleading coverage claims.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler that Claude already knows (e.g., 'Familiarity with cloud security concepts', 'Access to a test or lab environment'). The core instructions are reasonably lean but the surrounding content wastes tokens. | 2 / 3 |
Actionability | The instructions provide some concrete guidance (specific thresholds like >100 GetObject calls, 30-day IP history, time windows) and a CLI command, but lack executable code for the actual analysis logic. Steps 2-5 are descriptive rather than providing copy-paste ready code or queries. The example JSON event is illustrative but not tied to actionable processing code. | 2 / 3 |
Workflow Clarity | The steps are listed but lack validation checkpoints, error handling, or feedback loops. For a security analysis workflow involving potentially large datasets and multiple cloud providers (as described in the skill description), there's no verification of results, no guidance on false positive handling, and no clear sequence for multi-cloud analysis despite the description mentioning GCS and Azure alongside AWS. | 1 / 3 |
Progressive Disclosure | The content references a script (`scripts/agent.py`) suggesting external tooling exists, but provides no links to detailed documentation, configuration references, or advanced usage guides. The structure has sections but everything is inline with no signposting to deeper materials for the multi-cloud scenarios mentioned in the description. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.