analyzing-network-flow-data-with-netflow
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
53
60%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-network-flow-data-with-netflow/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically detailed description that clearly communicates specific capabilities in network flow analysis and security anomaly detection. Its main weakness is the absence of an explicit 'Use when...' clause, which caps the completeness score. The specificity and domain-specific trigger terms are excellent and would help Claude accurately select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about analyzing NetFlow/IPFIX data, investigating network anomalies, detecting port scans, identifying C2 beaconing, or analyzing flow records for security threats.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parse NetFlow v9/IPFIX records, detect volumetric anomalies, port scanning, data exfiltration, C2 beaconing, build traffic baselines, apply statistical analysis, identify abnormal byte counts/connection durations/periodic timing patterns. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and methods, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The 'when' is only implied by the described capabilities. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'NetFlow', 'IPFIX', 'port scanning', 'data exfiltration', 'C2 beaconing', 'flow records', 'traffic baselines', 'volumetric anomalies'. These are terms a network security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in NetFlow/IPFIX analysis and network security anomaly detection. The specific protocols (NetFlow v9, IPFIX), library (Python netflow), and detection types (C2 beaconing, volumetric anomalies) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable skeleton for NetFlow analysis but falls short on actionability and workflow clarity. The detection categories (port scanning, C2 beaconing, exfiltration) are described conceptually without concrete implementation code, thresholds, or statistical methods. Generic boilerplate in prerequisites and 'when to use' sections wastes tokens without adding value.
Suggestions
Add executable code examples for each detection type (port scanning, C2 beaconing, exfiltration) with specific thresholds and statistical methods rather than abstract descriptions.
Add validation checkpoints to the workflow, e.g., verify template parsing succeeded, confirm baseline data is sufficient before anomaly detection, and validate output report structure.
Remove generic prerequisites and 'When to Use' bullets that Claude already knows (e.g., 'Familiarity with network security concepts', 'Appropriate authorization').
Either provide the referenced 'scripts/agent.py' as a bundle file or remove the reference and inline the core analysis logic.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler that Claude already knows (e.g., 'Familiarity with network security concepts', 'Appropriate authorization for any testing activities'). The core instructions are reasonably concise but the surrounding boilerplate wastes tokens. | 2 / 3 |
Actionability | The skill provides one concrete code example for parsing and a CLI command, but the detection logic (port scanning, C2 beaconing, exfiltration, volumetric anomalies) is described abstractly without executable code or specific thresholds. The reference to 'scripts/agent.py' is unsubstantiated with no bundle files provided. | 2 / 3 |
Workflow Clarity | The steps are listed at a high level but lack validation checkpoints, error handling, or feedback loops. For a multi-step security analysis workflow involving data collection, parsing, baseline building, and anomaly detection, there are no verification steps, no guidance on what to do when parsing fails, and no criteria for what constitutes an anomaly threshold. | 1 / 3 |
Progressive Disclosure | The content is organized into logical sections (When to Use, Prerequisites, Instructions, Examples), which provides some structure. However, there are no references to supporting files despite the description mentioning statistical analysis and baseline building, and the single code example is minimal. The referenced 'scripts/agent.py' doesn't exist in the bundle. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.