CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-cobaltstrike-malleable-c2-profiles

Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract C2 indicators, detect evasion techniques, and generate network detection signatures.

57

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured overview with a clear step sequence, but it explains background Claude knows, lacks inline executable code and validation checkpoints, and fails to point to the bundled reference and script that contain the actionable detail.

Suggestions

Tighten the Overview to drop background concepts Claude already knows, keeping only the analysis-specific framing.

Add inline executable code for the key steps, or explicitly link to references/api-reference.md (e.g. 'See [api-reference.md](references/api-reference.md) for full parsing API') and scripts/agent.py so the bundled detail is discoverable.

Insert validation checkpoints into the workflow (e.g. verify parsed config fields are populated before generating signatures, and test generated Suricata rules against sample traffic).

DimensionReasoningScore

Conciseness

The Overview explains background ('Cobalt Strike Malleable C2 profiles are domain-specific language scripts that customize how Beacon communicates…') that Claude already knows, while the Steps are reasonably tight. Not a 3 because the Overview padding is unnecessary; not a 1 because it is not a verbose tutorial wall of text.

2 / 3

Actionability

Provides a few concrete items (pip install commands, 'C2Profile.from_path("profile.profile")') but most steps only describe actions ('Extract HTTP GET/POST block configurations', 'Analyze process injection settings') without executable code. Not a 3 because it is not copy-paste ready throughout; not a 1 because some concrete commands and an API call are present.

2 / 3

Workflow Clarity

Ten steps are clearly numbered and sequenced, but there are no validation or verification checkpoints in a workflow that generates detection signatures and compares profiles. Not a 1 because the sequence is explicit; not a 3 because validation/feedback loops are absent.

2 / 3

Progressive Disclosure

Bundle files references/api-reference.md and scripts/agent.py exist with the real executable API, but the body never links to or signals them, so a reader would not know to consult them. Not a 1 because the body is well-organized into sections, not a monolith; not a 3 because the existing references are not clearly signaled.

2 / 3

Total

8

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, well-targeted description with strong action and trigger language, undermined only by the absence of an explicit 'Use when…' clause. Adding trigger guidance would raise completeness from 2 to 3.

Suggestions

Append an explicit 'Use when…' clause, e.g. 'Use when analyzing Cobalt Strike malleable C2 profiles, extracting C2 IOCs from beacon configs, or generating Suricata/Snort signatures from profile indicators.'

Add common user-facing variations such as 'beacon config', 'threat hunting', and 'IOC extraction' to broaden trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'Parse and analyze…extract C2 indicators, detect evasion techniques, and generate network detection signatures' — rather than vague language. Not a 2 because the action set is comprehensive, not just a domain plus partial actions.

3 / 3

Completeness

Clearly states what the skill does but has no 'Use when…' clause or equivalent explicit trigger guidance, which the rubric caps at 2. Not a 1 because the 'what' is explicit and specific; not a 3 because 'when' is entirely absent.

2 / 3

Trigger Term Quality

Uses natural terms a threat hunter/SOC analyst would actually say — 'Cobalt Strike Malleable C2 profiles', 'C2 indicators', 'network detection signatures'. Not a 2 because coverage of the domain's common terms is good rather than missing variations.

3 / 3

Distinctiveness Conflict Risk

Targets a narrow, well-defined niche (Cobalt Strike Malleable C2 profile analysis) with distinct triggers unlikely to fire for other skills. Not a 2 because it would not meaningfully overlap with adjacent skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.