auditing-tls-certificate-transparency-logs
Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting.
51
56%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-tls-certificate-transparency-logs/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities, includes natural trigger terms, explicitly states both what the skill does and when to activate it, and occupies a distinct niche. It uses proper third-person voice throughout and avoids vague language or buzzwords. The description is comprehensive yet focused, making it easy for Claude to select appropriately from a large skill set.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: monitoring CT logs, detecting unauthorized certificate issuance, discovering subdomains via CT data, alerting on suspicious certificate activity, querying crt.sh API, direct CT log querying based on RFC 6962, building continuous monitoring pipelines, tracking CA behavior, and mapping external attack surface. | 3 / 3 |
Completeness | Clearly answers both 'what' (monitors CT logs, detects unauthorized certificates, discovers subdomains, alerts on suspicious activity) and 'when' with an explicit trigger clause: 'Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting.' | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'certificate transparency', 'CT logs', 'subdomain discovery', 'certificate issuance', 'crt.sh', 'CT log auditing', 'rogue certificates', 'attack surface'. These cover the domain well with natural variations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Certificate Transparency logs and related monitoring. The domain is narrow enough (CT logs, crt.sh, RFC 6962) that it's very unlikely to conflict with other skills like general security scanning or DNS enumeration. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
12%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a comprehensive wiki article or training document about Certificate Transparency monitoring rather than an actionable skill for Claude. Its most critical weakness is the complete absence of executable code despite being a deeply technical task involving API queries, database operations, and certificate parsing. The content is also excessively verbose, explaining fundamental security concepts that Claude already understands, and packs everything into a single monolithic document.
Suggestions
Add executable Python code examples for the core operations: querying crt.sh API with requests, parsing JSON responses, storing results in SQLite, and comparing against baselines — these are the actual actions Claude needs to perform.
Remove or drastically reduce the 'Key Concepts' glossary table and 'Tools & Systems' section — Claude already knows what Merkle trees, SCTs, and CAA records are. Keep only tool-specific details like exact API endpoints and query parameters.
Extract the two detailed scenarios and the output format template into separate reference files (e.g., SCENARIOS.md, OUTPUT_TEMPLATE.md) and reference them from the main skill to reduce the monolithic structure.
Add concrete validation steps with executable commands, such as verifying API responses return expected JSON structure, checking SQLite row counts after baseline import, and testing alert delivery before relying on the pipeline.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It explains concepts Claude already knows (X.509 structure, Merkle trees, what CT is, what subdomain takeover means), includes an 8-row glossary table of basic security concepts, and provides lengthy narrative descriptions where concise bullet points or code would suffice. The 'Key Concepts' and 'Tools & Systems' sections are largely unnecessary padding. | 1 / 3 |
Actionability | Despite being a technical skill about querying APIs and building monitoring pipelines, there is zero executable code anywhere in the document. All guidance is descriptive prose ('Query the crt.sh JSON API', 'Store in SQLite database', 'Parse certificate details') without a single Python snippet, curl command, or SQL query. The prerequisites mention Python libraries but no code uses them. | 1 / 3 |
Workflow Clarity | The 5-step workflow is logically sequenced and covers the full monitoring lifecycle from baseline through alerting and reporting. However, validation checkpoints are largely absent — there's no explicit 'verify your baseline is complete before proceeding' step, no error handling guidance for API failures, and no feedback loops for when queries return unexpected results. The steps read more like a conceptual overview than an operational runbook. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no bundle files and no references to external documents. All content — from basic concepts to advanced STH verification to detailed scenarios — is inlined in a single massive file. The Key Concepts table, two lengthy scenarios, and the Tools & Systems section could all be separate reference files, with the main skill being a concise operational guide. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.