analyzing-kubernetes-audit-logs
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
74
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-kubernetes-audit-logs/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (parsing K8s audit logs for five distinct threat patterns), includes rich natural trigger terms spanning both full names and abbreviations, and provides explicit 'Use when' guidance. The description is concise yet comprehensive, covering a well-defined niche with minimal conflict risk.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parsing K8s audit logs, detecting exec-into-pod, secret access, RBAC modifications, privileged pod creation, anonymous API access, and building threat detection rules from audit event patterns. | 3 / 3 |
Completeness | Clearly answers both what (parses K8s audit logs to detect specific threat patterns and builds detection rules) and when ('Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Kubernetes', 'audit logs', 'exec-into-pod', 'secret access', 'RBAC', 'privileged pod', 'cluster compromise', 'SIEM detection rules', 'k8s'. Good coverage of both full names and abbreviations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche targeting Kubernetes API server audit logs specifically, with very specific triggers around K8s security investigation and SIEM rule building. Unlikely to conflict with general log analysis or other security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point with executable Python for basic Kubernetes audit log parsing, but it falls short on completeness—only 2 of 5 detection categories have code examples. The workflow is essentially absent: there's no investigation sequence, no triage guidance, and no validation steps. Boilerplate sections like Prerequisites add tokens without value.
Suggestions
Add executable code examples for all five detection categories (RBAC escalation, privileged pod creation, anonymous access) instead of just listing them as bullets.
Define a clear multi-step investigation workflow: e.g., 1) Load and validate log format → 2) Run detection rules → 3) Correlate events by user/session → 4) Output structured findings, with explicit validation at each step.
Remove the boilerplate 'Prerequisites' and 'When to Use' sections or compress them to 1-2 lines—Claude doesn't need to be told about 'appropriate authorization' or 'familiarity with container security concepts'.
Add a reference to a separate file for advanced topics like building SIEM detection rules or Sigma/KQL query generation, which are mentioned in the skill description but absent from the content.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain filler that Claude doesn't need (e.g., 'Familiarity with container security concepts', 'Appropriate authorization for any testing activities'). The core instructions are reasonably lean but surrounded by unnecessary boilerplate. | 2 / 3 |
Actionability | The basic exec detection code is executable and concrete, but the other four detection categories (secrets, RBAC, privileged pods, anonymous access) are only listed as bullet points without corresponding code. Only one additional example (secret enumeration) is provided, leaving privileged pod detection, clusterrolebinding creation, and anonymous access without executable guidance. | 2 / 3 |
Workflow Clarity | There is no clear multi-step workflow for analyzing audit logs end-to-end. No sequencing of steps (e.g., collect logs → parse → detect → triage → report), no validation checkpoints, and no guidance on what to do when detections fire. For a security investigation skill involving potentially destructive or high-stakes decisions, this is insufficient. | 1 / 3 |
Progressive Disclosure | The content has some section structure (When to Use, Prerequisites, Instructions, Examples) but everything is inline with no references to deeper materials. The detection rules for all five event types could be split into a detailed reference file, and there's no navigation to advanced topics like building SIEM rules or threat hunting queries mentioned in the description. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.