analyzing-network-flow-data-with-netflow
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
67
60%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-network-flow-data-with-netflow/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically detailed description that excels at specificity and distinctiveness, listing concrete actions and domain-specific trigger terms that a network security professional would naturally use. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others. Adding trigger guidance would elevate this from a good to excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about analyzing NetFlow/IPFIX data, investigating network anomalies, detecting port scans, identifying C2 beaconing, or examining flow records for suspicious traffic patterns.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parse NetFlow v9/IPFIX records, detect volumetric anomalies, port scanning, data exfiltration, C2 beaconing, build traffic baselines, apply statistical analysis, identify abnormal byte counts/connection durations/periodic timing patterns. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and methods, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The absence of a 'when' clause caps this at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'NetFlow', 'IPFIX', 'port scanning', 'data exfiltration', 'C2 beaconing', 'flow records', 'traffic baselines', 'volumetric anomalies'. These are terms a network security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in NetFlow/IPFIX network traffic analysis. The specific protocols (NetFlow v9, IPFIX), library (Python netflow), and detection types (C2 beaconing, volumetric anomalies) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable skeleton for NetFlow analysis but falls short on actionability and workflow clarity. The detection categories (port scanning, C2 beaconing, exfiltration, volumetric anomalies) are listed but lack concrete implementation—no thresholds, no statistical methods, no executable detection code. Generic boilerplate in prerequisites and 'when to use' sections wastes tokens without adding value.
Suggestions
Add executable Python code for each detection type (port scanning, beaconing, exfiltration) with specific thresholds and statistical methods rather than abstract descriptions.
Include validation checkpoints in the workflow: e.g., verify template parsing succeeded, confirm baseline calculation before anomaly detection, validate output report schema.
Remove generic prerequisites and 'When to Use' bullets that Claude already knows (authorization, familiarity with security concepts) to improve conciseness.
Either provide the 'scripts/agent.py' content or remove the reference; explain what the script does and what the output JSON schema looks like.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler that Claude already knows (e.g., 'Familiarity with network security concepts', 'Appropriate authorization for any testing activities'). The core instructions are reasonably lean but the surrounding boilerplate wastes tokens. | 2 / 3 |
Actionability | There is one concrete code example for parsing and a CLI command, but the analysis steps (port scanning detection, C2 beaconing, exfiltration) are described abstractly without executable code, thresholds, or statistical methods. The reference to 'scripts/agent.py' is not explained or provided. | 2 / 3 |
Workflow Clarity | The multi-step process (collect → parse → analyze → report) lacks validation checkpoints, error handling, and feedback loops. There's no guidance on what to do if parsing fails, how to validate baselines, or how to verify detection accuracy. For a security analysis workflow involving statistical anomaly detection, this is insufficient. | 1 / 3 |
Progressive Disclosure | The content has some structure with sections (When to Use, Prerequisites, Instructions, Examples), but all content is inline with no references to deeper documentation. The description mentions baseline building and statistical analysis but these are not covered or linked to supplementary files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.