CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-command-and-control-communication

Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures, data encoding, and infrastructure. Covers HTTP, HTTPS, DNS, and custom protocol C2 analysis for detection development and threat intelligence. Activates for requests involving C2 analysis, beacon detection, C2 protocol reverse engineering, or command-and-control infrastructure mapping.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill is highly actionable with executable code throughout and a clear six-step workflow, but it is held back by verbosity (the Key Concepts table), absent validation checkpoints, and a monolithic structure that ignores its own bundle files. Tightening inline reference material and linking the existing api-reference.md and agent.py would lift conciseness and progressive disclosure.

Suggestions

Add explicit validation/verification checkpoints to the workflow — e.g., after Step 3 confirm the decoded command set against Ghidra disassembly, and after Step 6 test Suricata rules against the source PCAP before finalizing.

Reference the existing bundle files from the body (references/api-reference.md for scapy/dpkt/tshark/JA3 API detail, scripts/agent.py for the beacon-detection implementation) instead of inlining all of that material.

Trim the Key Concepts table to only C2-specific, non-obvious definitions and consider moving the framework-signature and Tools & Systems tables into a reference file to reduce the inline token load.

DimensionReasoningScore

Conciseness

The body is mostly efficient operational code, but the 'Key Concepts' table explains largely known terms (beaconing, jitter, malleable C2, domain fronting) and inline reference material could be tightened; not the lean level-3 ideal yet above verbose level 1.

2 / 3

Actionability

Provides fully executable, copy-paste-ready code (scapy beacon analysis, dpkt HTTP decoding, requests-based Shodan/VirusTotal enrichment, CobaltStrikeParser usage, and complete Suricata rules), matching the executable-and-complete anchor.

3 / 3

Workflow Clarity

Steps 1–6 are clearly sequenced and a numbered scenario approach exists, but there are no explicit validation/verification checkpoints (e.g., confirming a decoded protocol against disassembly or verifying a signature fires), so it sits at the sequence-present-but-checkpoints-implicit level rather than level 3.

2 / 3

Progressive Disclosure

Sections are reasonably organized, but the ~370-line body is a monolithic wall with content that belongs in references, and the existing bundle files (references/api-reference.md, scripts/agent.py) are never referenced from the body — references present but not clearly signaled.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is strong: third-person voice, concrete capability actions, natural trigger terms, and an explicit activation clause covering both what and when. It is well-scoped to the C2 analysis niche with low conflict risk.

DimensionReasoningScore

Specificity

Lists multiple concrete actions: 'understand beacon patterns, command structures, data encoding, and infrastructure' and 'detection development and threat intelligence', matching the multiple-specific-actions anchor rather than the domain-only level 2.

3 / 3

Completeness

Explicitly states what it does ('Analyzes malware command-and-control (C2) communication protocols...') and when to use it ('Activates for requests involving...'), clearly answering both what and when with explicit triggers.

3 / 3

Trigger Term Quality

Uses natural terms a user would say — 'C2 analysis, beacon detection, C2 protocol reverse engineering, or command-and-control infrastructure mapping' plus 'HTTP, HTTPS, DNS' — giving good coverage rather than only some relevant keywords.

3 / 3

Distinctiveness Conflict Risk

The C2/malware-analysis niche with distinct triggers (beacon detection, C2 protocol reverse engineering, infrastructure mapping) is unlikely to overlap with unrelated skills; it is clearly distinguishable rather than merely somewhat specific.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.