analyzing-network-traffic-for-incidents
Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
60
71%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-network-traffic-for-incidents/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope (network traffic forensics for security incidents), lists specific capabilities and tools, and provides explicit activation triggers. It uses proper third-person voice throughout and covers both common and technical trigger terms that users in this domain would naturally use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing network traffic captures, identifying C2 communications, lateral movement, data exfiltration, and exploitation attempts. Also names specific tools (Wireshark, Zeek, NetFlow). | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes network traffic to identify adversary activity including C2, lateral movement, exfiltration) and 'when' (explicit 'Activates for requests involving...' clause with specific trigger scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'network traffic analysis', 'packet capture', 'PCAP analysis', 'network forensics', 'C2 traffic detection', 'exfiltration detection', plus domain-specific but commonly used terms like 'Wireshark', 'Zeek', and 'NetFlow'. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on network traffic/packet capture forensics during security incidents. The combination of PCAP, Wireshark, Zeek, C2 detection, and exfiltration creates a clear, non-overlapping domain that is unlikely to conflict with other security or general analysis skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels in actionability with concrete, executable commands for tcpdump, Zeek, and Wireshark that are directly usable in real incident response scenarios. However, it is significantly too verbose — explaining concepts Claude already knows, including a glossary table and tool descriptions that add no value, and inlining content that should be in separate reference files. The workflow is well-sequenced but lacks validation checkpoints appropriate for forensic analysis.
Suggestions
Remove the Key Concepts table and Tools & Systems section entirely — Claude already knows what PCAP, Wireshark, and Zeek are.
Move the Output Format template and Common Scenarios into separate bundle files (e.g., REPORT_TEMPLATE.md, SCENARIOS.md) and reference them from the main skill.
Add validation checkpoints to the workflow, such as 'Verify PCAP covers the full incident timeframe before proceeding' after Step 1, and 'Confirm beacon pattern with statistical analysis before reporting' after Step 2.
Trim the Prerequisites section to only non-obvious requirements — remove items like 'Wireshark installed' and 'display filters knowledge.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose at ~250+ lines. The Key Concepts table defines terms Claude already knows (PCAP, DNS Tunneling, NetFlow). The Tools & Systems section explains what Wireshark and Zeek are, which is unnecessary. The Prerequisites section lists obvious requirements. Much of this content could be cut by 40-50% without losing actionable value. | 1 / 3 |
Actionability | The skill provides fully executable commands throughout — real tcpdump commands, Zeek log parsing with zeek-cut and awk, specific Wireshark display filters, and concrete bash pipelines. The commands are copy-paste ready with realistic IPs and parameters, and the scenario walkthrough gives a concrete step-by-step approach. | 3 / 3 |
Workflow Clarity | The 6-step workflow is clearly sequenced and logically ordered from capture through documentation. However, there are no explicit validation checkpoints or feedback loops — no step says 'verify your capture is complete before proceeding' or 'if no beaconing is found, broaden your filter and retry.' For an investigation workflow where missing data or wrong filters could lead to incorrect conclusions, this is a gap. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files and no bundle files. The Key Concepts table, Tools & Systems section, Common Scenarios, and detailed Output Format template could all be split into separate reference files. Everything is inline, making the skill unnecessarily long for the main SKILL.md. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.