analyzing-ransomware-leak-site-intelligence
Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence on group tactics, and assess sector-specific ransomware risk for proactive defense.
50
55%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-ransomware-leak-site-intelligence/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly carving out a niche around ransomware DLS monitoring with concrete actions. However, it lacks an explicit 'Use when...' clause which limits its completeness score, and could benefit from additional natural trigger terms that users might employ when requesting this type of analysis.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about ransomware group activity, dark web leak site monitoring, or wants to assess ransomware threats to specific sectors.'
Include additional natural trigger terms users might say, such as 'dark web monitoring', 'ransomware gangs', 'extortion groups', 'threat actor tracking', or 'leak site intelligence'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'monitor and analyze ransomware group data leak sites', 'track victim postings', 'extract threat intelligence on group tactics', and 'assess sector-specific ransomware risk'. These are distinct, concrete capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the actions described, which caps this at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Includes relevant domain terms like 'ransomware', 'data leak sites', 'DLS', 'threat intelligence', 'victim postings', but misses common user variations like 'dark web monitoring', 'ransomware gangs', 'extortion groups', 'leak monitoring', or 'threat actor tracking' that users might naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on ransomware data leak site monitoring and analysis. The combination of 'DLS', 'victim postings', and 'ransomware group' tactics creates a very clear, narrow domain unlikely to conflict with other skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely actionable, executable Python code for ransomware leak site intelligence collection and analysis, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (double extortion model, DLS intelligence value, safe collection practices), time-sensitive statistics, and generic 'When to Use' boilerplate. The monolithic structure with no progressive disclosure and missing inline validation steps weaken the overall quality.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands double extortion, DLS intelligence value, and safe collection practices. Move any truly novel constraints (e.g., 'never directly access DLS sites') into a brief 'Constraints' bullet list.
Split the detailed code for each step into separate bundle files (e.g., collector.py, analysis.py, report.py) and keep SKILL.md as a concise overview with references to those files.
Add inline validation checkpoints: verify API response schema after Step 1, validate that parsed dates and group names are non-empty before proceeding to analysis, and check report output file exists after Step 5.
Remove the 'When to Use' section and the time-sensitive statistics in the Overview ('96 unique ransomware groups', '535 victims per month', 'H1 2025') to improve conciseness and avoid stale data.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. The 'Key Concepts' section explains double extortion, DLS intelligence value, and safe collection practices—all concepts Claude already knows. The 'Overview' paragraph includes statistics ('96 unique ransomware groups', '535 victims per month') that are time-sensitive filler. The 'When to Use' section is generic boilerplate. Much of this could be cut by 50%+ without losing actionable content. | 1 / 3 |
Actionability | The code is fully executable Python with real API endpoints (ransomwatch GitHub raw URLs), concrete class structures, and copy-paste ready functions. Each step produces tangible output—data ingestion, trend analysis, risk assessment, group tracking, and report generation with specific file output. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered, but lacks validation checkpoints between steps. There's no error recovery guidance—e.g., what to do if the ransomwatch API returns malformed data, if posts lack expected fields, or if the feed is unavailable. The 'Validation Criteria' section is a checklist of expected outcomes rather than inline verification steps. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of content with no bundle files and no references to separate detailed documents. All code, concepts, and the full report template are inline. The sector risk assessment, group tracking, and report generation could each be separate referenced files, keeping the SKILL.md as a concise overview. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.