analyzing-ransomware-leak-site-intelligence
Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
50
55%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-ransomware-leak-site-intelligence/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly carving out a niche around ransomware data leak site monitoring with concrete actions. However, it lacks an explicit 'Use when...' clause which caps completeness, and could benefit from additional natural trigger terms that users might employ when requesting this type of analysis.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about ransomware group activity, dark web leak monitoring, victim tracking, or ransomware threat intelligence.'
Include additional natural trigger terms users might say, such as 'dark web monitoring', 'ransomware gangs', 'extortion groups', 'leak site tracking', or 'threat actor analysis'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'monitor and analyze ransomware group data leak sites', 'track victim postings', 'extract threat intelligence on group tactics', and 'assess sector-specific ransomware risk'. These are distinct, concrete capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The purpose ('for proactive defense') is stated but doesn't specify when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Includes relevant domain terms like 'ransomware', 'data leak sites', 'DLS', 'threat intelligence', 'victim postings', but misses common user variations like 'dark web monitoring', 'ransomware gangs', 'extortion groups', 'leak monitoring', or 'threat actor tracking' that users might naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on ransomware data leak site monitoring. The combination of 'DLS', 'victim postings', and 'ransomware group' analysis is very distinctive and unlikely to conflict with general threat intelligence or cybersecurity skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for ransomware leak site intelligence collection and analysis, which is its primary strength. However, it is significantly over-verbose with unnecessary background explanations (double extortion model, DLS intelligence value) that Claude already understands, and it presents everything as a monolithic document without progressive disclosure. The workflow lacks inline validation checkpoints between steps, which is important for data pipeline operations where upstream failures can silently corrupt downstream analysis.
Suggestions
Remove or drastically condense the 'Key Concepts' section—Claude already understands double extortion, DLS value, and safe collection practices. A single sentence on safe collection constraints is sufficient.
Add inline validation between steps: after Step 1, verify data was loaded and contains expected fields; after Step 3, validate that sector/country fields exist before proceeding to risk scoring.
Split the large code blocks into separate bundle files (e.g., collector.py, analysis.py, report.py) and reference them from SKILL.md with brief descriptions of each module's purpose.
Remove the generic 'When to Use' section and the statistics in the Overview paragraph—these consume tokens without adding actionable guidance.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. The 'Key Concepts' section explains double extortion, DLS intelligence value, and safe collection practices—all concepts Claude already knows. The 'Overview' paragraph includes statistics ('96 unique ransomware groups', '535 victims per month') that add bulk without aiding execution. The 'When to Use' section is generic boilerplate. Much of this could be cut by 50%+ without losing actionable content. | 1 / 3 |
Actionability | The skill provides fully executable Python code across all five steps, with real API endpoints (ransomwatch), concrete data structures, and copy-paste ready functions. The code is complete with imports, class definitions, and function calls that would run as-is given the prerequisites. | 3 / 3 |
Workflow Clarity | The five steps are clearly sequenced (ingest → analyze → assess risk → track new groups → generate report), but there are no validation checkpoints or error recovery loops between steps. If data ingestion fails or returns malformed data, there's no guidance on how to detect and handle that before proceeding. The 'Validation Criteria' section is a post-hoc checklist rather than inline verification steps. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with all code inline. There are no bundle files, yet the skill is long enough that separating the collector class, analysis functions, and report generation into referenced files would significantly improve navigability. The References section links to external sites but doesn't organize the skill's own content for progressive discovery. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.