CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-network-covert-channels-in-malware

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse for C2 and data exfiltration.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body delivers executable, actionable analysis code but is weighed down by an oversized inline script that duplicates the bundled agent.py, an incomplete workflow, and orphaned bundle files that are never referenced from SKILL.md.

Suggestions

Replace the inline ~140-line script with a concise snippet plus a link to scripts/agent.py to avoid duplication and save context tokens.

Complete the Workflow with Steps 2-4 (ICMP, HTTP steganography, protocol abuse) and add explicit validation checkpoints (e.g., verify findings against legitimate CDN/cloud traffic before reporting).

Reference the bundle files from the body — link references/api-reference.md for thresholds/Zeek/tshark details and assets/template.md for reporting — instead of leaving them orphaned.

DimensionReasoningScore

Conciseness

Mostly efficient and domain-focused, but the ~140-line inline Python block duplicates scripts/agent.py and inflates the body; it could be tightened by pointing to the bundled script instead of embedding it.

2 / 3

Actionability

The inline script is complete and executable — real imports, working functions (entropy, DNS/ICMP analysis), argument handling, and a runnable main — making it copy-paste ready.

3 / 3

Workflow Clarity

A Workflow section and Validation Criteria exist, but only 'Step 1' is shown despite four techniques, and there are no in-workflow validation checkpoints or error-recovery feedback loops for the batch PCAP analysis, capping clarity at 2.

2 / 3

Progressive Disclosure

Sections are organized and a References section exists, but the body never links to the provided bundle (references/*.md, assets/template.md, scripts/agent.py), and the large inline script duplicates content that should live in scripts/ — references are not clearly signaled.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, uses natural trigger terms, and occupies a clear niche, but it omits an explicit 'when to use' clause, capping completeness at 2.

Suggestions

Add an explicit 'Use when...' clause naming triggering scenarios (e.g., 'Use when investigating DNS tunneling, ICMP exfiltration, or HTTP-based C2 in malware PCAPs').

Mirror a few common phrasings users might say ('covert C2 channels', 'data exfiltration over DNS/ICMP') to broaden trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'Detect and analyze covert communication channels' across 'DNS tunneling, ICMP exfiltration, steganographic HTTP, and protocol abuse' — matching the anchor for several specific actions rather than vague language.

3 / 3

Completeness

Clearly states what the skill does, but lacks an explicit 'Use when...' or equivalent trigger clause; per the judging guidelines a missing explicit trigger caps completeness at 2.

2 / 3

Trigger Term Quality

Uses natural analyst-facing terms ('DNS tunneling', 'ICMP exfiltration', 'covert communication channels', 'C2', 'data exfiltration', 'malware') that a user would plausibly say when needing this skill.

3 / 3

Distinctiveness Conflict Risk

The niche — covert network channels in malware — is specific with distinct triggers (DNS tunneling, ICMP exfiltration) unlikely to fire for unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.