analyzing-web-server-logs-for-intrusion
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-web-server-logs-for-intrusion/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically detailed description that excels at specificity and distinctiveness, listing concrete attack types, log formats, and analysis techniques. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. Adding trigger guidance would elevate this from a good to excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze web server logs for security threats, investigate suspicious traffic, or detect attack patterns in Apache or Nginx access logs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parsing Apache/Nginx logs, detecting SQL injection, LFI, directory traversal, web scanner fingerprints, brute-force patterns, regex pattern matching against OWASP signatures, GeoIP enrichment, and statistical anomaly detection. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. Per rubric guidelines, this caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'SQL injection', 'directory traversal', 'brute-force', 'Apache', 'Nginx', 'access logs', 'web scanner', 'OWASP', 'GeoIP'. These cover a wide range of terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: web server access log security analysis. The combination of specific log formats (Apache/Nginx), specific attack types (SQLi, LFI, traversal), and specific techniques (OWASP signatures, GeoIP) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level framework for web log intrusion analysis with useful detection categories and example log lines, but falls short on actionability—it describes what to detect without providing executable parsing code or regex patterns. The workflow lacks validation steps critical for security analysis, and the content organization is flat with an unexplained reference to an external script.
Suggestions
Add executable Python code showing the actual regex-based detection logic (e.g., compiled patterns for SQLi, LFI, XSS) rather than just listing signature strings
Include validation checkpoints: verify log format parsing succeeded, confirm GeoIP database loaded, validate detection rule matches against known-good test entries before full analysis
Reference or link to the `scripts/agent.py` implementation and consider splitting detailed detection rule patterns into a separate PATTERNS.md file
Remove generic prerequisites like 'familiarity with security operations concepts' and the overly broad 'When to Use' bullets to improve conciseness
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is somewhat padded with generic SOC analyst scenarios that don't add actionable value. The prerequisites mention obvious things like 'familiarity with security operations concepts.' However, the core instructions are reasonably tight. | 2 / 3 |
Actionability | Provides a CLI command and detection pattern signatures, but lacks executable code for the actual parsing/detection logic. The instructions describe what to do at a high level (parse, apply rules, enrich) without providing the actual Python implementation or regex patterns. The examples show log lines but not how to process them. | 2 / 3 |
Workflow Clarity | Steps are listed in a logical sequence (install → collect → parse → detect → report), but there are no validation checkpoints. No guidance on what to do if parsing fails, if GeoIP lookup errors occur, or how to verify detection accuracy. For a security analysis workflow, missing validation/verification steps is a notable gap. | 2 / 3 |
Progressive Disclosure | Everything is in a single flat file with no references to external documentation. The script `scripts/agent.py` is referenced but never explained or linked. There's no separation between quick-start overview and detailed detection rule documentation, and no pointers to where one might find the actual implementation or extended pattern libraries. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.