analyzing-typosquatting-domains-with-dnstwist
Detect typosquatting, homograph phishing, and brand impersonation domains using dnstwist to generate domain permutations and identify registered lookalike domains targeting your organization.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-typosquatting-domains-with-dnstwist/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and domain-specific trigger terms that would help Claude accurately select this skill for DNS security and brand protection tasks. The main weakness is the lack of an explicit 'Use when...' clause, which caps the completeness score. Adding explicit trigger guidance would make this description near-perfect.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about domain squatting, phishing domain detection, brand protection, or wants to run dnstwist against a domain.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'detect typosquatting, homograph phishing, and brand impersonation domains', 'generate domain permutations', and 'identify registered lookalike domains'. These are clear, actionable capabilities. | 3 / 3 |
Completeness | The 'what' is well-covered (detect typosquatting, generate permutations, identify lookalike domains), but there is no explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through the description of capabilities. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'typosquatting', 'homograph phishing', 'brand impersonation', 'lookalike domains', 'dnstwist', 'domain permutations'. These are the exact terms a security professional would use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche — domain security analysis using dnstwist is very specific and unlikely to conflict with other skills. The combination of typosquatting, homograph attacks, and brand impersonation creates a clear, unique scope. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for a complete typosquatting detection pipeline, which is its primary strength. However, it is significantly verbose, explaining concepts Claude already knows (DNS, fuzzy hashing, permutation types) and including generic 'When to Use' boilerplate. The workflow lacks integrated validation checkpoints and error recovery, and the monolithic structure would benefit from splitting into overview + detailed reference files.
Suggestions
Remove the 'Key Concepts' and 'When to Use' sections entirely — Claude knows what DNS records, fuzzy hashing, and typosquatting are. This would cut ~30 lines of unnecessary context.
Add inline validation checkpoints: verify dnstwist is installed before running, check DNS connectivity, validate JSON output parsing, and add explicit error recovery steps (e.g., retry on timeout, handle partial results).
Split the monitoring pipeline (Step 3) and export functions (Step 4) into separate referenced files to improve progressive disclosure and reduce the main skill's token footprint.
Trim code comments that explain obvious operations (e.g., '# Only show registered domains' next to '--registered') to improve conciseness.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Key Concepts' section explains DNS, fuzzy hashing, and permutation techniques that Claude already knows. The 'When to Use' section is generic filler. The overview paragraph restates what dnstwist does in excessive detail. The code examples are bloated with comments explaining obvious things. | 1 / 3 |
Actionability | The code is fully executable, copy-paste ready Python with concrete subprocess calls, JSON parsing, risk scoring logic, and export functions. Commands include specific flags and parameters. The entire pipeline from scan to blocklist export is implementable. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (scan → analyze → monitor → export) but validation checkpoints are weak. The 'Validation Criteria' section is a passive checklist rather than integrated verification steps. There's no explicit 'verify DNS resolution is working before proceeding' or error recovery guidance when dnstwist fails or times out. | 2 / 3 |
Progressive Disclosure | Content is monolithic — all code is inline in a single file with no references to separate detailed guides. The Key Concepts section could be omitted or linked externally. References are listed but only as external links, not as structured internal documentation. The skill is over 200 lines and would benefit from splitting the monitoring pipeline and export logic into separate files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.