analyzing-web-server-logs-for-intrusion
Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.
53
60%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-web-server-logs-for-intrusion/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly communicates concrete capabilities and uses domain-appropriate terminology that security professionals would naturally use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. The technical depth and specificity are excellent, making it very distinguishable from other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze web server logs for security threats, investigate suspicious traffic, detect attacks in access logs, or perform log-based threat hunting.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parsing Apache/Nginx logs, detecting SQL injection, LFI, directory traversal, scanner fingerprints, brute-force patterns, plus specific techniques like regex pattern matching, GeoIP enrichment, and statistical anomaly detection. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. Per rubric guidelines, this caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural keywords users would say: 'SQL injection', 'directory traversal', 'brute-force', 'access logs', 'Apache', 'Nginx', 'OWASP', 'web scanner', 'GeoIP', 'anomaly detection'. These are terms security analysts would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining web server log analysis with specific attack detection patterns. The combination of Apache/Nginx logs, OWASP signatures, and specific attack types like SQL injection and LFI makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable overview of web log intrusion analysis with specific attack signatures and a CLI invocation, but falls short on actionability by not including executable parsing code and on workflow clarity by omitting validation steps and error handling. The detection patterns are concrete and useful, but the skill reads more like a checklist than an executable procedure.
Suggestions
Add executable Python code for log parsing and pattern matching rather than just describing the steps abstractly — at minimum show the regex patterns applied to parsed log entries.
Add validation checkpoints: verify log format before parsing, validate GeoIP database exists and is current, verify detection output with a known-malicious sample log entry, and include false-positive review guidance.
Include a concrete example of the expected output report structure (JSON schema or sample output) so Claude knows what the final deliverable looks like.
Either provide the referenced `scripts/agent.py` as a bundle file or remove the reference and inline the core logic.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is somewhat padded with generic SOC analyst scenarios that don't add actionable value. The prerequisites mention 'familiarity with security operations concepts' which is unnecessary filler. However, the core instructions are reasonably tight. | 2 / 3 |
Actionability | Provides specific detection patterns (regex signatures, thresholds) and a CLI command, but lacks executable parsing code. The instructions describe what to do at a high level (parse, apply rules, enrich) without providing the actual Python implementation. The examples show raw log lines but not how to process them programmatically. | 2 / 3 |
Workflow Clarity | Steps are listed but lack validation checkpoints entirely. There's no guidance on what to do when detections fire (false positive handling), no verification of GeoIP database validity, no feedback loop for tuning detection thresholds, and no validation of output report correctness. For a security analysis workflow involving pattern matching and anomaly detection, this is insufficient. | 1 / 3 |
Progressive Disclosure | The content references a script `scripts/agent.py` but no bundle files are provided, making the reference unverifiable. The skill is relatively short and doesn't need extensive splitting, but the detection rules section could benefit from a separate reference file for OWASP patterns. Organization is adequate but not well-signaled for deeper content. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.