auditing-tls-certificate-transparency-logs
Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting.
64
56%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-tls-certificate-transparency-logs/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a specific security niche (Certificate Transparency monitoring), lists concrete actions and tools (crt.sh API, RFC 6962), and includes an explicit activation clause with natural trigger terms. It is well-structured, uses third-person voice throughout, and would be easily distinguishable from other skills in a large skill library.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: monitoring CT logs, detecting unauthorized certificate issuance, discovering subdomains via CT data, alerting on suspicious certificate activity, querying crt.sh API, direct CT log querying based on RFC 6962, building continuous monitoring pipelines, tracking CA behavior, and mapping external attack surface. | 3 / 3 |
Completeness | Clearly answers both 'what' (monitors CT logs, detects unauthorized certs, discovers subdomains, alerts on suspicious activity) and 'when' with an explicit trigger clause: 'Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting.' | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'certificate transparency', 'CT logs', 'subdomain discovery', 'certificate issuance', 'crt.sh', 'CT log auditing', 'rogue certificates', 'attack surface'. These cover the domain well and match how security professionals would phrase requests. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Certificate Transparency logs and related monitoring. The specific mentions of CT logs, crt.sh, RFC 6962, and certificate issuance alerting make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
12%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a comprehensive wiki article or training document on CT log monitoring than an actionable skill for Claude. Its greatest weakness is the complete absence of executable code despite listing Python libraries as prerequisites — every step is described in prose rather than demonstrated with concrete implementations. The content is also far too verbose, explaining fundamental concepts Claude already understands, and fails to use progressive disclosure to manage its considerable length.
Suggestions
Add concrete, executable Python code for each workflow step — at minimum: a crt.sh API query function, SQLite baseline storage, certificate parsing with the cryptography library, and an alerting function with webhook/SMTP delivery.
Remove the 'Key Concepts' table entirely — Claude knows what Merkle trees, CT, SCTs, and precertificates are. If needed, keep only project-specific definitions.
Split the scenarios, tools list, and output format into separate referenced files (e.g., SCENARIOS.md, TOOLS.md) and keep SKILL.md as a concise overview with quick-start code.
Add explicit validation checkpoints in the workflow, such as verifying API responses return expected JSON structure, confirming baseline database row counts, and testing alert delivery before relying on the pipeline.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines, explaining concepts Claude already knows (X.509 structure, Merkle trees, what CT is, what subdomain takeover means). The 'Key Concepts' table is entirely unnecessary background knowledge. The scenarios, while illustrative, are padded with obvious details. Much of this could be cut by 60%+ without losing actionable content. | 1 / 3 |
Actionability | Despite the length, there is zero executable code anywhere in the skill. No Python scripts, no curl commands, no SQL queries for the crt.sh PostgreSQL interface. Everything is described in prose ('Query crt.sh for historical certificates', 'Store in SQLite database') rather than provided as concrete, copy-paste-ready implementations. The prerequisites mention Python libraries but no code uses them. | 1 / 3 |
Workflow Clarity | The 5-step workflow is logically sequenced and covers the full monitoring lifecycle from baseline through alerting and reporting. However, there are no explicit validation checkpoints or feedback loops — for instance, no step verifies that the baseline database was correctly populated, no error handling for failed API queries, and no 'validate then proceed' gates despite this being a security-critical monitoring pipeline. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with no references to external files. The Key Concepts table, detailed scenarios, tools list, and output format could all be split into separate reference files. Everything is inlined, making the skill extremely long and difficult to navigate quickly. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.