analyzing-network-flow-data-with-netflow
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
67
60%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-network-flow-data-with-netflow/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically detailed description that clearly communicates specific capabilities and uses domain-appropriate terminology. Its main weakness is the absence of an explicit 'Use when...' clause, which caps completeness at 2 per the rubric guidelines. The description excels at specificity and distinctiveness, making it easy to differentiate from other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about analyzing NetFlow or IPFIX data, investigating network anomalies, detecting port scans, identifying C2 beaconing, or examining flow records for suspicious traffic patterns.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parse NetFlow v9/IPFIX records, detect volumetric anomalies, port scanning, data exfiltration, C2 beaconing, build traffic baselines, apply statistical analysis to identify abnormal byte counts, connection durations, and periodic timing patterns. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and methods, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The when is only implied by the nature of the capabilities described. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'NetFlow', 'IPFIX', 'port scanning', 'data exfiltration', 'C2 beaconing', 'flow records', 'traffic baselines', 'volumetric anomalies'. These are terms a network security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: NetFlow/IPFIX analysis for network security anomaly detection. The specific protocols (NetFlow v9, IPFIX), library (Python netflow), and detection types (C2 beaconing, volumetric anomalies) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable skeleton for NetFlow analysis but falls short on actionability and workflow clarity. The detection categories (port scanning, exfiltration, beaconing, volumetric anomalies) are listed but lack concrete implementation code, statistical thresholds, or validation steps. Generic boilerplate in prerequisites and 'When to Use' sections wastes tokens without adding value.
Suggestions
Add executable Python code for each detection type (port scanning, exfiltration, beaconing, volumetric anomalies) with specific thresholds and logic rather than abstract descriptions.
Include validation checkpoints in the workflow, e.g., verify parsed flow count, confirm baseline statistics before anomaly detection, and validate output report schema.
Remove generic prerequisites and 'When to Use' bullets that Claude already knows (e.g., 'Familiarity with network security concepts', 'Appropriate authorization').
Either include the contents/logic of 'scripts/agent.py' or replace the reference with inline executable code that demonstrates the full analysis pipeline.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler that Claude already knows (e.g., 'Familiarity with network security concepts', 'Appropriate authorization for any testing activities'). The core instructions are reasonably lean but the surrounding boilerplate wastes tokens. | 2 / 3 |
Actionability | There is one concrete code example for parsing and a CLI command, but the detection logic (port scanning, exfiltration, beaconing, volumetric anomalies) is described abstractly without executable code or specific thresholds. The reference to 'scripts/agent.py' assumes an external script without showing its contents or how to create it. | 2 / 3 |
Workflow Clarity | The five numbered steps are high-level and lack validation checkpoints. There is no guidance on what to do if parsing fails, no baseline-building procedure, no thresholds defined for anomaly detection, and no feedback loop for verifying findings. For a multi-step analytical workflow involving statistical analysis, this is insufficient. | 1 / 3 |
Progressive Disclosure | The content is organized into sections (When to Use, Prerequisites, Instructions, Examples) which provides some structure, but all content is inline with no references to deeper documentation. The skill could benefit from linking to separate files for detection rule details, baseline configuration, or report format specifications. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.