CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-kubernetes-audit-logs

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

72

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

80%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is concise and actionable with executable code, but it lacks an explicit multi-step workflow with validation checkpoints and fails to point to the existing bundle reference and script files, weakening workflow clarity and progressive disclosure.

Suggestions

Add explicit navigation to bundle files: e.g. 'For the full event/severity table and audit policy levels, see references/api-reference.md' and note that scripts/agent.py provides a ready-to-run detector.

Add a short validation/feedback step in the workflow, such as skipping malformed JSON lines and verifying a candidate detection against the responseStatus code before reporting it.

Sequence the detection process as numbered steps (parse -> classify each event type -> aggregate/report findings) with an explicit checkpoint for confirming high-severity findings.

DimensionReasoningScore

Conciseness

The body is lean: it jumps straight into executable parsing code and a numbered event list without over-explaining Kubernetes concepts Claude already knows, so every token earns its place.

3 / 3

Actionability

Provides fully executable, copy-paste-ready Python parsing both in the Instructions and Examples sections, plus a concrete numbered list of key events to detect.

3 / 3

Workflow Clarity

The 'Instructions' gives a single parse-and-detect action and a numbered event list, but there is no explicit sequencing of a multi-step process or validation/checkpoint for confirming detections (e.g. handling malformed JSON lines, verifying a finding), capping it at 2 rather than 3.

2 / 3

Progressive Disclosure

A bundle reference file (references/api-reference.md) and a reusable script (scripts/agent.py) exist, but the body never signals or links to either — the reference is unmentioned inline and the agent.py script is not invoked, so navigation is missing.

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is strong across all dimensions: it states concrete actions, includes natural trigger terms, covers both what and when explicitly, and occupies a distinct, low-conflict niche.

DimensionReasoningScore

Specificity

Lists multiple specific concrete actions: 'detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access' and 'Builds threat detection rules from audit event patterns', matching the highest anchor.

3 / 3

Completeness

Explicitly answers both what (parses/detects/builds rules) and when ('Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules'), meeting the explicit-trigger anchor.

3 / 3

Trigger Term Quality

Includes natural terms a user would say — 'Kubernetes audit logs', 'investigating Kubernetes cluster compromise', and 'building k8s-specific SIEM detection rules' — giving good coverage rather than only jargon.

3 / 3

Distinctiveness Conflict Risk

Targets a clear niche — Kubernetes API server audit log analysis — with distinct triggers that are unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.