analyzing-network-traffic-for-incidents
Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including command-and-control communications, lateral movement, data exfiltration, and exploitation attempts. Uses Wireshark, Zeek, and NetFlow analysis techniques. Activates for requests involving network traffic analysis, packet capture investigation, PCAP analysis, network forensics, C2 traffic detection, or exfiltration detection.
85
82%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope (network traffic analysis for security incidents), lists specific capabilities and tools, and provides explicit activation triggers. It uses proper third-person voice throughout and includes both common and technical terms that security professionals would naturally use. The description is comprehensive yet concise, making it easy for Claude to select this skill appropriately.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing network traffic captures, identifying C2 communications, lateral movement, data exfiltration, exploitation attempts. Also names specific tools (Wireshark, Zeek, NetFlow). | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes network traffic captures to identify adversary activity including C2, lateral movement, exfiltration) and 'when' (explicit 'Activates for requests involving...' clause with specific trigger scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would say: 'network traffic analysis', 'packet capture investigation', 'PCAP analysis', 'network forensics', 'C2 traffic detection', 'exfiltration detection'. These are terms security analysts would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused on network traffic/packet capture analysis for security incidents. The specific mention of PCAP, Wireshark, Zeek, C2 traffic, and exfiltration detection clearly distinguishes it from general security skills or other forensics skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable network forensics skill with excellent concrete examples including real tcpdump commands, Zeek log parsing pipelines, and Wireshark filters. Its main weaknesses are verbosity from explaining concepts Claude already knows (glossary, tool descriptions), lack of validation/verification checkpoints in the workflow, and a monolithic structure that could benefit from progressive disclosure into sub-files.
Suggestions
Remove the Key Concepts glossary table and Tools & Systems descriptions — Claude already knows what PCAP, Wireshark, Zeek, and DNS tunneling are. Keep only tool-specific configuration details or non-obvious usage patterns.
Add explicit validation checkpoints: verify PCAP integrity (file size, time range coverage) after acquisition, confirm Zeek log completeness before analysis, and validate IOC extraction results against known-good baselines.
Split the scenario, output format template, and protocol reference table into separate linked files (e.g., SCENARIOS.md, REPORT_TEMPLATE.md) to reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill includes some unnecessary content like the Key Concepts glossary table (Claude knows what PCAP, beaconing, DNS tunneling, and NetFlow are) and the Tools & Systems descriptions explaining what Wireshark and Zeek are. The core workflow sections are reasonably efficient, but the overall document could be tightened by ~30% without losing actionable content. | 2 / 3 |
Actionability | The skill provides fully executable commands (tcpdump, zeek-cut pipelines, awk filters) and specific Wireshark display filters that are copy-paste ready. Each step includes concrete, real-world examples with specific IPs, ports, and protocols rather than abstract descriptions. | 3 / 3 |
Workflow Clarity | The six-step workflow is clearly sequenced and covers the full investigation lifecycle. However, there are no explicit validation checkpoints or feedback loops — for example, no step to verify PCAP integrity after acquisition, no validation that filters are returning expected results, and no error recovery guidance if Zeek logs are incomplete or PCAP is truncated. For forensic operations where evidence integrity matters, this is a notable gap. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with no references to external files for detailed content. The Key Concepts table, Tools & Systems section, and the full scenario walkthrough could be split into separate reference files. The document is well-structured with clear headers, but at its length (~200+ lines), it would benefit from a concise overview pointing to detailed sub-documents. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.