analyzing-web-server-logs-for-intrusion
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-web-server-logs-for-intrusion/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically detailed description that excels at specificity and distinctiveness, listing concrete attack types, log formats, and analysis techniques. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. The trigger terms are naturally aligned with what security professionals would say.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze web server logs for security threats, investigate suspicious HTTP traffic, or detect attack patterns in Apache or Nginx access logs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parsing Apache/Nginx logs, detecting SQL injection, LFI, directory traversal, web scanner fingerprints, brute-force patterns, regex pattern matching against OWASP signatures, GeoIP enrichment, and statistical anomaly detection. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. Per rubric guidelines, a missing 'Use when' clause caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'SQL injection', 'directory traversal', 'brute-force', 'Apache', 'Nginx', 'access logs', 'OWASP', 'GeoIP', 'web scanner'. These are terms security analysts would naturally use when requesting this kind of analysis. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: web server access log security analysis. The combination of specific log formats (Apache/Nginx), specific attack types (SQLi, LFI, directory traversal), and specific techniques (OWASP signatures, GeoIP) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level overview of web log intrusion analysis with useful detection categories and a CLI invocation example, but falls short on actionability—lacking executable parsing code, concrete regex patterns, or output format specifications. The workflow lacks validation checkpoints important for security analysis, and the content organization is flat with no progressive disclosure to supplementary materials.
Suggestions
Add executable Python code snippets for the core parsing and detection logic, including the actual regex patterns for SQLi, LFI, XSS detection rather than just listing keywords.
Include a validation step after parsing (e.g., verify parsed entry count matches log line count) and after detection (e.g., sample review of flagged entries to check for false positives).
Define the expected output format (JSON schema or example output) so Claude knows what the report should look like.
Extract detailed detection rule definitions and GeoIP setup instructions into referenced supplementary files (e.g., DETECTION_RULES.md, SETUP.md) and link from the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is somewhat padded with generic SOC analyst scenarios that don't add actionable value. The prerequisites mention obvious things like 'familiarity with security operations concepts.' However, the core instructions are reasonably tight. | 2 / 3 |
Actionability | Provides a CLI command and detection pattern signatures, but lacks executable code for the actual parsing/detection logic. The instructions describe what to do at a high level (parse, apply rules, enrich) without providing the actual Python implementation or regex patterns. The examples show log lines but not how to process them. | 2 / 3 |
Workflow Clarity | Steps are listed in a logical sequence (install → collect → parse → detect → report), but there are no validation checkpoints. No guidance on what to do if parsing fails, if GeoIP lookup errors occur, or how to verify detection accuracy. For a security analysis workflow, missing validation/verification steps is a notable gap. | 2 / 3 |
Progressive Disclosure | All content is in a single monolithic file with no references to external documentation. The script `scripts/agent.py` is referenced but never explained or linked. There's no separation of detection rule details, GeoIP setup, or output format into supplementary files, and no navigation structure for deeper content. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.