CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-network-flow-data-with-netflow

Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

An actionable, reasonably concise skill body with real commands and code, but it lacks validation checkpoints in its workflow and fails to signpost the bundled API-reference file. Tightening the generic boilerplate and linking the reference would raise it.

Suggestions

Add an explicit validation/verification step before report generation, e.g. sanity-check flow counts and confirm templates persisted across packets, with a re-parse loop on failure.

Link the bundled reference from the body, e.g. "For field types and detection thresholds, see [references/api-reference.md](references/api-reference.md)."

Tighten the generic "When to Use" and "Prerequisites" bullets to remove title repetition and boilerplate not specific to NetFlow analysis.

DimensionReasoningScore

Conciseness

The body is mostly lean with no explaining of concepts Claude already knows, but the "When to Use" bullets repeat the title verbatim and the "Prerequisites" section is generic boilerplate ("Familiarity with network security concepts", "Access to a test or lab environment") that could be tightened. Not a 3 because of this padded templated material; not a 1 because core instructions are efficient.

2 / 3

Actionability

Provides executable, copy-paste-ready commands (`pip install netflow`, `python -m netflow.collector -p 9995`, `python scripts/agent.py --flow-file captured_flows.json --output netflow_report.json`) and a runnable `netflow.parse_packet()` code example. Not the level below because the guidance is concrete and complete, not pseudocode.

3 / 3

Workflow Clarity

A clear numbered sequence (install → collect → parse → analyze → report) is present, but there is no validation or verification checkpoint before reporting, and the batch detection step has no error-feedback loop. The rubric caps batch-operation workflows at 2 when validation is missing; not a 1 because the sequence itself is explicit.

2 / 3

Progressive Disclosure

`scripts/agent.py` is referenced via the report command, but the bundled `references/api-reference.md` (which contains field-type and detection-threshold detail) is never signaled or linked from the body, so one reference is not navigable. Not a 3 because the API reference is not clearly pointed to; not a 1 because the body is organized into sections rather than a monolithic wall.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, well-targeted description with strong concrete actions and natural domain trigger terms. Its main weakness is the absence of an explicit "Use when..." trigger clause, which leaves the "when to use" guidance implied rather than stated.

Suggestions

Append an explicit trigger clause, e.g. "Use when analyzing NetFlow/IPFIX exports, hunting for port scans, data exfiltration, or C2 beaconing, or building network-flow detection rules."

DimensionReasoningScore

Specificity

Lists multiple concrete actions — "Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing", "builds traffic baselines", and "applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns" — rather than vague language.

3 / 3

Completeness

It clearly answers "what" (parse, detect, baseline, analyze) but provides no "Use when..." clause or equivalent explicit trigger guidance, which the rubric caps at 2. Not a 3 because "when" is only implied, and not a 1 because the "what" is comprehensive.

2 / 3

Trigger Term Quality

Natural domain keywords a SOC analyst would actually say are well covered: "NetFlow", "IPFIX", "port scanning", "data exfiltration", "C2 beaconing", and "volumetric anomalies". Not the level below because the term coverage is broad and domain-appropriate, not just one or two keywords.

3 / 3

Distinctiveness Conflict Risk

The NetFlow v9/IPFIX flow-analysis niche with named attack patterns (port scanning, exfiltration, C2 beaconing) is clearly distinguishable and unlikely to trigger for the wrong skill. Not the level below because the triggers are specific, not generic.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.