analyzing-network-traffic-of-malware
Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.
85
82%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (C2 identification, exfiltration detection, payload analysis, lateral movement detection), names concrete tools (Wireshark, Zeek, Suricata), and provides explicit activation triggers. It uses proper third-person voice throughout and carves out a distinct niche in malware network traffic analysis that would be easily distinguishable from related but different skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns' using named tools (Wireshark, Zeek, Suricata). Also specifies contexts like 'sandbox execution or live incident response'. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes network traffic to identify C2 protocols, exfiltration, payloads, lateral movement using specific tools) and 'when' ('Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'malware network analysis', 'C2 traffic decoding', 'malware PCAP analysis', 'network-based malware detection', plus domain terms like 'Wireshark', 'Zeek', 'Suricata', 'data exfiltration', 'lateral movement'. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a very clear niche at the intersection of malware analysis and network traffic analysis, with distinct triggers like 'C2 traffic decoding' and 'malware PCAP analysis' that are unlikely to conflict with general networking or general malware skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a highly actionable skill with excellent executable examples covering the full malware network traffic analysis workflow. Its main weaknesses are verbosity (explaining concepts Claude knows, lengthy output template) and missing validation checkpoints in the workflow — particularly important given that signature generation and file extraction are operations where errors should be caught. The content would benefit from trimming explanatory sections and adding explicit verification steps.
Suggestions
Add validation checkpoints: verify Suricata rules compile with `suricata -T -S custom_malware.rules`, verify extracted file integrity with `file` command, and confirm Zeek log generation succeeded before proceeding.
Remove or drastically shorten the Key Concepts table and Tools & Systems section — Claude already knows what DNS tunneling, JA3, Wireshark, and Zeek are. Keep only project-specific configuration details.
Move the Common Scenarios section and Output Format template to separate referenced files (e.g., SCENARIOS.md, OUTPUT_FORMAT.md) to reduce the main skill's token footprint.
Add a feedback loop after Step 5 (signature generation): test generated rules against the original PCAP with Suricata to confirm they fire correctly before considering them complete.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary elements: the Key Concepts table defines terms Claude already knows (DNS tunneling, DGA, SNI), the Tools & Systems section explains what Wireshark and Zeek are, and the output format template is quite long. However, the core workflow commands are lean and useful. | 2 / 3 |
Actionability | Excellent actionability throughout — every step includes fully executable bash commands and Python scripts that are copy-paste ready. The tshark commands have complete field specifications and display filters, the beacon detection Python script is complete and runnable, and the Suricata rule examples are syntactically correct and ready to deploy. | 3 / 3 |
Workflow Clarity | The 6-step workflow is clearly sequenced and logically ordered from overview through DNS, HTTP, beaconing, signatures, and artifact extraction. However, there are no explicit validation checkpoints or feedback loops — for example, no step to verify extracted files aren't corrupted, no validation that Suricata rules compile correctly (suricata -T), and no error recovery guidance if tshark or Zeek commands fail. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document at ~250+ lines with no references to external files for advanced topics. The Key Concepts table, Tools & Systems section, Common Scenarios, and Output Format could be split into separate reference files. The structure within the file is good with clear headers, but everything is inline. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.