analyzing-network-traffic-of-malware
Analyzes network traffic generated by malware during sandbox execution or live incident response to identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns using Wireshark, Zeek, and Suricata. Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection.
65
78%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-network-traffic-of-malware/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (identifying C2 protocols, exfiltration channels, payload downloads, lateral movement), names concrete tools (Wireshark, Zeek, Suricata), and provides explicit activation triggers. It uses proper third-person voice throughout and occupies a well-defined niche that minimizes conflict with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'identify C2 protocols, data exfiltration channels, payload downloads, and lateral movement patterns' and names specific tools (Wireshark, Zeek, Suricata) along with contexts (sandbox execution, live incident response). | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes network traffic to identify C2 protocols, exfiltration, payloads, lateral movement using specific tools) and 'when' ('Activates for requests involving malware network analysis, C2 traffic decoding, malware PCAP analysis, or network-based malware detection'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'malware network analysis', 'C2 traffic decoding', 'malware PCAP analysis', 'network-based malware detection', plus domain terms like 'Wireshark', 'Zeek', 'Suricata', 'C2 protocols', 'data exfiltration', 'lateral movement'. | 3 / 3 |
Distinctiveness Conflict Risk | Occupies a very clear niche at the intersection of malware analysis and network traffic analysis, with distinct triggers like 'C2 traffic decoding' and 'malware PCAP analysis' that are unlikely to conflict with general networking or general malware skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill excels in actionability with fully executable commands and scripts throughout, making it highly practical for malware network traffic analysis. However, it suffers from being a monolithic document that could benefit significantly from splitting reference material (glossary, tool descriptions, output templates) into separate files. The workflow is logically sequenced but lacks explicit validation checkpoints between steps, which is important for forensic analysis workflows where errors compound.
Suggestions
Split the Key Concepts table, Tools & Systems section, and Output Format template into separate referenced files (e.g., GLOSSARY.md, OUTPUT_FORMAT.md) to reduce the main skill's token footprint
Remove the Tools & Systems descriptions entirely—Claude knows what Wireshark and Zeek are—or reduce to a one-line version list for version-specific behavior
Add explicit validation checkpoints between steps, e.g., 'Verify DNS analysis identified C2 domains before proceeding to HTTP analysis' and 'Validate Suricata rules by running them against the PCAP and confirming expected alerts fire'
Remove the Key Concepts glossary definitions for terms like DNS Tunneling and DGA that Claude already understands; keep only project-specific thresholds and parameters (e.g., entropy > 3.5, jitter < 30%)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary content. The 'Key Concepts' glossary table and 'Tools & Systems' section explain things Claude already knows (e.g., what Wireshark is, what DNS tunneling means). The output format template is useful but lengthy. The prerequisites section listing tool descriptions adds marginal value. However, the core workflow steps are reasonably efficient. | 2 / 3 |
Actionability | Excellent actionability throughout. Every workflow step includes fully executable bash commands and Python scripts that are copy-paste ready. The tshark commands have complete field specifications and display filters. The beacon detection Python script is complete and runnable. The Suricata rule examples are syntactically correct and ready to deploy. The DGA entropy detection script is a complete, executable program. | 3 / 3 |
Workflow Clarity | The six steps follow a logical sequence from initial overview through DNS analysis, HTTP/C2 analysis, beacon detection, signature generation, and artifact extraction. However, there are no explicit validation checkpoints or feedback loops between steps. For a workflow involving potentially destructive operations (running Suricata, extracting files) and complex multi-step analysis, there should be verification steps (e.g., 'verify extracted files are safe before analysis', 'validate Suricata rules against the PCAP before deployment'). The scenario section mentions pitfalls but doesn't integrate them as checkpoints. | 2 / 3 |
Progressive Disclosure | This is a monolithic document with no references to external files despite being quite long (~250+ lines of content). The Key Concepts table, Tools & Systems section, Common Scenarios, and Output Format template could all be split into separate referenced files. There are no bundle files to support progressive disclosure. Everything is inline, making this a wall of text that consumes significant context window. | 1 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.