analyzing-ransomware-leak-site-intelligence
Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
66
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-ransomware-leak-site-intelligence/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly carving out a niche around ransomware data leak site monitoring with concrete actions. However, it lacks an explicit 'Use when...' clause which caps completeness, and could benefit from additional natural trigger terms that users might employ when requesting this type of analysis.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about ransomware group activity, dark web leak monitoring, or threat intelligence on extortion groups.'
Include additional natural trigger terms users might say, such as 'dark web monitoring', 'ransomware gangs', 'extortion groups', 'leak site tracking', or 'threat actor intelligence'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'monitor and analyze ransomware group data leak sites', 'track victim postings', 'extract threat intelligence on group tactics', and 'assess sector-specific ransomware risk for proactive defense'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Includes relevant domain terms like 'ransomware', 'data leak sites', 'DLS', 'threat intelligence', and 'victim postings', but misses common user variations like 'dark web monitoring', 'ransomware gangs', 'extortion groups', 'leak monitoring', or 'threat actor tracking' that users might naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focusing on ransomware data leak site monitoring, which is unlikely to conflict with other skills. The combination of 'DLS', 'victim postings', and 'ransomware group' creates a very distinct trigger profile. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for ransomware leak site intelligence analysis with a clear five-step workflow. However, it is significantly bloated with unnecessary background explanations (Key Concepts section, prerequisites listing basic knowledge), and the monolithic structure with all code inline makes it token-inefficient. Adding validation checkpoints between steps and splitting detailed code into referenced files would substantially improve quality.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands double extortion, DLS intelligence value, and safe collection practices. Replace with a 1-2 line safety note if needed.
Add validation checkpoints between steps: verify API response data quality after Step 1, check for minimum data thresholds before analysis in Step 2, and validate report completeness before writing in Step 5.
Move the detailed Python class and analysis functions into a referenced file (e.g., ransomware_intel_collector.py) and keep only usage examples and key patterns in the SKILL.md body.
Trim the Prerequisites and 'When to Use' sections—these explain obvious context and add ~15 lines of low-value tokens.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose with extensive explanations of concepts Claude already knows (double extortion model, DLS intelligence value, safe collection practices). The 'Key Concepts' section is largely unnecessary background. The code blocks are lengthy with inline comments explaining obvious operations. The H1 2025 statistics and prerequisite explanations add tokens without actionable value. | 1 / 3 |
Actionability | The skill provides fully executable Python code across all five steps, with concrete API endpoints, working class definitions, and copy-paste ready functions. The code uses real public APIs (ransomwatch) and produces tangible outputs including a markdown intelligence report. | 3 / 3 |
Workflow Clarity | The five steps are clearly sequenced and logically ordered from data ingestion through report generation. However, there are no validation checkpoints between steps—no error handling for malformed API responses beyond basic status codes, no verification that data quality is sufficient before analysis, and no feedback loops for when feeds return incomplete data. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with all code inline rather than appropriately split. The Key Concepts section, detailed code for each step, and the full report generation template could be separated into referenced files. References are listed at the end but the main body contains ~200+ lines of code that could benefit from being in separate modules. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.