analyzing-tls-certificate-transparency-logs
Queries Certificate Transparency logs via crt.sh and pycrtsh to detect phishing domains, unauthorized certificate issuance, and shadow IT. Monitors newly issued certificates for typosquatting and brand impersonation using Levenshtein distance. Use for proactive phishing domain detection and certificate monitoring.
54
61%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-tls-certificate-transparency-logs/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates specific capabilities (CT log querying, phishing detection, typosquatting monitoring), names concrete tools (crt.sh, pycrtsh, Levenshtein distance), and includes an explicit 'Use for' trigger clause. It uses proper third-person voice throughout and occupies a very distinct niche that would be easy to disambiguate from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying Certificate Transparency logs via crt.sh and pycrtsh, detecting phishing domains, detecting unauthorized certificate issuance, detecting shadow IT, monitoring for typosquatting and brand impersonation using Levenshtein distance. | 3 / 3 |
Completeness | Clearly answers both 'what' (queries CT logs, detects phishing domains, monitors certificates for typosquatting using Levenshtein distance) and 'when' ('Use for proactive phishing domain detection and certificate monitoring'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Certificate Transparency', 'crt.sh', 'pycrtsh', 'phishing domains', 'typosquatting', 'brand impersonation', 'certificate monitoring', 'shadow IT', 'Levenshtein distance'. These are terms a security professional would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Certificate Transparency logs, crt.sh, phishing domain detection, and typosquatting analysis. Very unlikely to conflict with other skills due to the specific security domain and tooling mentioned. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a basic starting point for querying crt.sh but fails to deliver on its core promises of typosquatting detection via Levenshtein distance, CA validation, and phishing infrastructure cross-referencing. The content is padded with generic boilerplate while lacking the concrete implementations that would make it truly actionable. The workflow is incomplete, with most analysis steps described abstractly rather than with executable code.
Suggestions
Remove the generic 'When to Use' and 'Prerequisites' sections entirely—they add no value for Claude. Replace with a single-line purpose statement.
Add executable code for Levenshtein distance-based typosquatting detection, which is the skill's primary differentiator (e.g., using python-Levenshtein or difflib to compare discovered domains against the target brand).
Implement concrete code for steps 2-5: CA validation logic, wildcard certificate flagging, and a structured output format for findings.
Add a validation/verification step—e.g., checking whether flagged domains resolve, checking WHOIS data, or outputting a structured report with confidence scores.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections are padded with generic boilerplate that Claude already knows (e.g., 'Familiarity with security operations concepts', 'Access to a test or lab environment'). The description repeats itself between the intro and the instructions. Much of this content adds no value. | 1 / 3 |
Actionability | The code examples are real and executable using pycrtsh, but key details are missing: there's no code for the Levenshtein distance comparison (a core claimed feature), no concrete example of flagging unexpected CAs, and the 'Key analysis steps' 2-5 are described abstractly without executable implementations. | 2 / 3 |
Workflow Clarity | The 5 'key analysis steps' are listed but only step 1 has any concrete implementation. Steps 2-5 are vague descriptions with no code, no validation checkpoints, and no feedback loops. There's no guidance on what to do when suspicious certificates are found or how to verify findings. | 1 / 3 |
Progressive Disclosure | The content is organized into reasonable sections (When to Use, Prerequisites, Instructions, Examples), but there are no bundle files or references to deeper materials. The skill is short enough that this isn't a major issue, but the inline content could be better organized—e.g., the examples section just repeats a slight variation of the instructions code. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.