CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-ransomware-network-indicators

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration flows, and encryption key exchange via Zeek conn.log and NetFlow analysis

57

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is concise and well-structured, but it stops at describing steps rather than giving executable guidance, omits validation/feedback loops for a batch analysis workflow, and fails to reference the available reference and script bundle files.

Suggestions

Reference the executable tooling, e.g. 'Run scripts/agent.py --input conn.log --format zeek' in the Steps section so guidance is copy-paste ready.

Add validation checkpoints such as confirming parsed connection count and verifying the TOR exit list was fetched before relying on results.

Link to references/api-reference.md for Zeek field definitions, beaconing thresholds, and the MITRE mapping table.

DimensionReasoningScore

Conciseness

The ~35-line body is lean and well-organized with no padding or explanation of concepts Claude already knows, matching the lean-and-efficient anchor where every token earns its place.

3 / 3

Actionability

Steps name concrete algorithms (interval CV, byte ratios, TOR cross-reference) but the body contains no executable code or commands; the actual executable script in scripts/agent.py is never referenced, leaving guidance incomplete rather than copy-paste ready.

2 / 3

Workflow Clarity

The seven steps are clearly sequenced, but this batch log-analysis workflow has no validation checkpoints or feedback loops (e.g., confirm connection count parsed, verify TOR list fetched, handle empty results), which per the scoring notes caps workflow clarity at 2.

2 / 3

Progressive Disclosure

Sections are well-organized, but the existing bundle files references/api-reference.md and scripts/agent.py are never referenced or signaled in the body, so the actual bundle structure is not navigable from the overview, capping this below 3.

2 / 3

Total

9

/

12

Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and distinctive, naming concrete detection actions and tooling, but it omits any explicit 'Use when...' trigger clause and relies on technical jargon over broadly natural terms, capping completeness and trigger quality.

Suggestions

Add an explicit trigger clause, e.g. 'Use when investigating ransomware network activity, hunting C2 beaconing, or analyzing Zeek/NetFlow logs for exfiltration.'

Broaden trigger terms with natural variations like 'network traffic analysis', 'find beacons', or 'detect data exfiltration' beyond pure SOC jargon.

DimensionReasoningScore

Specificity

Lists multiple specific concrete actions — "C2 beaconing patterns", "TOR exit node connections", "data exfiltration flows", and "encryption key exchange" — tied to specific tooling (Zeek conn.log, NetFlow), matching the multiple-specific-actions anchor rather than the partial score-2 anchor.

3 / 3

Completeness

It clearly answers "what" (detect ransomware network indicators) but provides no explicit "Use when..." trigger guidance, which per the judging guidelines caps completeness at 2.

2 / 3

Trigger Term Quality

Relevant technical keywords (ransomware, C2 beaconing, TOR, Zeek, NetFlow) are present but are SOC/forensics jargon lacking common natural variations a broad user base would say, so it sits at the some-relevant-keywords anchor rather than full coverage.

2 / 3

Distinctiveness Conflict Risk

The ransomware-network-indicators niche with Zeek/NetFlow-specific triggers is clearly distinguishable and unlikely to fire for unrelated skills, matching the clear-niche anchor.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.