analyzing-typosquatting-domains-with-dnstwist
Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and domain-relevant trigger terms that security professionals would naturally use. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The description is concise, uses third person voice correctly, and occupies a very clear niche.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about domain squatting, phishing domain detection, brand protection, or wants to run dnstwist against a domain.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'detect typosquatting, homograph phishing, and brand impersonation domains', 'generate domain permutations', and 'identify registered lookalike domains'. These are clear, actionable capabilities. | 3 / 3 |
Completeness | The 'what' is well-covered (detect typosquatting, generate permutations, identify lookalike domains), but there is no explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through the description of capabilities. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'typosquatting', 'homograph phishing', 'brand impersonation', 'lookalike domains', 'dnstwist', 'domain permutations'. These are the exact terms a security professional would use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche — domain security analysis using dnstwist is very specific and unlikely to conflict with other skills. The combination of typosquatting, homograph attacks, and the specific tool (dnstwist) creates a clear, unique identity. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for a complete typosquatting detection workflow, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (permutation technique descriptions, fuzzy hashing explanations, generic 'When to Use' bullets) and lacks integrated validation checkpoints between workflow steps. The entire skill could be cut to roughly half its size while preserving all actionable content.
Suggestions
Remove the 'Key Concepts' section entirely — Claude already understands DNS, fuzzy hashing, and domain permutation techniques. Move any truly novel configuration details into code comments.
Remove or drastically shorten the 'When to Use' section, which is generic and adds no actionable value.
Add explicit validation checkpoints between steps, e.g., verify dnstwist is installed and DNS is reachable before Step 1, validate JSON output structure before passing to Step 2's analysis.
Split the monitoring pipeline (Step 3) and export/takedown (Step 4) into separate referenced files to keep SKILL.md as a concise overview with the core scan-and-analyze workflow.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Key Concepts' section explains DNS, fuzzy hashing, and permutation techniques that Claude already knows. The 'When to Use' section is generic filler. The overview paragraph restates what dnstwist does in excessive detail. The code examples are bloated with comments explaining obvious things. | 1 / 3 |
Actionability | The code is fully executable, copy-paste ready Python with concrete subprocess calls, JSON parsing, risk scoring logic, and file export. All four steps provide complete, runnable functions with realistic parameters and output handling. | 3 / 3 |
Workflow Clarity | The four steps are clearly sequenced (scan → analyze → monitor → export), but validation is only listed as a checklist at the end rather than integrated into the workflow. There are no explicit validation checkpoints between steps (e.g., verifying dnstwist output before analysis, checking DNS connectivity before scanning) and no error recovery feedback loops. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall with ~250 lines of inline code that could be split into separate reference files. The references section links to external resources but the skill itself doesn't split content across files. Key Concepts, the full monitoring pipeline, and the export/takedown code could all be separate files referenced from a leaner overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.