analyzing-network-flow-data-with-netflow
Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing patterns. Uses the Python netflow library to decode flow records, builds traffic baselines, and applies statistical analysis to identify flows with abnormal byte counts, connection durations, and periodic timing patterns.
53
60%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-network-flow-data-with-netflow/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly communicates concrete capabilities in a well-defined niche of network flow analysis and security anomaly detection. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical depth and domain-specific terminology make it very distinctive.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about analyzing network flow data, investigating suspicious traffic patterns, or working with NetFlow/IPFIX captures.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parse NetFlow v9/IPFIX records, detect volumetric anomalies, port scanning, data exfiltration, C2 beaconing, build traffic baselines, apply statistical analysis, identify abnormal byte counts/connection durations/periodic timing patterns. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and methods, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The absence of a 'when' clause caps this at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'NetFlow', 'IPFIX', 'port scanning', 'data exfiltration', 'C2 beaconing', 'flow records', 'traffic baselines', 'volumetric anomalies'. These are terms a network security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining NetFlow/IPFIX protocol parsing with specific network security anomaly detection patterns. Very unlikely to conflict with other skills given the specialized domain terminology like 'C2 beaconing', 'netflow library', and 'IPFIX'. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable skeleton for NetFlow analysis but falls short on actionability and workflow clarity. The detection categories (port scanning, exfiltration, beaconing) are described at a high level without concrete detection logic, thresholds, or statistical methods. The boilerplate sections waste tokens, and the absence of validation steps or feedback loops is a significant gap for a security analysis workflow.
Suggestions
Add executable code examples for each detection category (port scanning, beaconing, exfiltration) with concrete thresholds and statistical methods rather than abstract descriptions.
Include validation checkpoints after parsing (e.g., verify flow count, check for template errors) and after analysis (e.g., false positive filtering, confidence scoring).
Remove generic 'When to Use' and 'Prerequisites' boilerplate that Claude already knows, and use that space for the actual detection logic and baseline-building approach.
Either provide the referenced 'scripts/agent.py' as a bundle file or remove the reference and inline the key analysis logic.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler that Claude already knows (e.g., 'Familiarity with network security concepts', 'Appropriate authorization for any testing activities'). The core instructions are reasonably concise but the surrounding boilerplate wastes tokens. | 2 / 3 |
Actionability | The skill provides some concrete guidance (pip install, collector command, a code example for parsing), but the analysis steps (port scanning, exfiltration, beaconing, volumetric anomalies) are described abstractly without executable detection logic. The reference to 'scripts/agent.py' is not provided or explained, and the code example is incomplete (e.g., 'raw_bytes' and 'templates' are undefined). | 2 / 3 |
Workflow Clarity | The steps are listed but lack validation checkpoints, error handling, or feedback loops. For a multi-step security analysis workflow involving data collection, parsing, statistical analysis, and reporting, there are no verification steps (e.g., confirming data was parsed correctly, validating baseline calculations, checking for false positives). The workflow is vague on how to actually perform the analysis beyond listing categories. | 1 / 3 |
Progressive Disclosure | The content is organized into sections (When to Use, Prerequisites, Instructions, Examples), which provides some structure. However, there are no bundle files or referenced documents for advanced topics like baseline building, statistical thresholds, or detection rule details. The description promises statistical analysis and baseline building but the skill body doesn't deliver or reference where to find this information. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.