auditing-tls-certificate-transparency-logs
Monitors Certificate Transparency (CT) logs to detect unauthorized certificate issuance, discover subdomains via CT data, and alert on suspicious certificate activity for owned domains. Uses the crt.sh API and direct CT log querying based on RFC 6962 to build continuous monitoring pipelines that catch rogue certificates, track CA behavior, and map the external attack surface. Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting.
64
56%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/auditing-tls-certificate-transparency-logs/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly articulates specific capabilities (CT log monitoring, subdomain discovery, certificate alerting), includes rich domain-specific trigger terms, and provides an explicit 'Activates for...' clause covering when to use it. The description is well-structured, uses third person voice throughout, and occupies a clearly distinct niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detect unauthorized certificate issuance, discover subdomains via CT data, alert on suspicious certificate activity, build continuous monitoring pipelines, track CA behavior, and map external attack surface. | 3 / 3 |
Completeness | Clearly answers both 'what' (monitors CT logs, detects unauthorized certs, discovers subdomains, alerts on suspicious activity) and 'when' with an explicit trigger clause: 'Activates for requests involving certificate transparency monitoring, CT log auditing, subdomain discovery via certificates, or certificate issuance alerting.' | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'certificate transparency', 'CT logs', 'subdomain discovery', 'certificate issuance', 'crt.sh', 'CT log auditing', 'rogue certificates', 'attack surface'. Good coverage of domain-specific terms and variations. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Certificate Transparency logs and related monitoring. The specific mentions of CT logs, crt.sh API, RFC 6962, and certificate issuance alerting make it very unlikely to conflict with other security or networking skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
12%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a comprehensive wiki article or training document than an actionable skill for Claude. It is extremely verbose, explains many concepts Claude already knows, and critically lacks any executable code despite being a Python-oriented technical skill. The workflow structure is reasonable but would benefit enormously from concrete implementations and better content organization.
Suggestions
Replace all prose descriptions of API queries and data processing with executable Python code blocks (e.g., actual requests calls to crt.sh, SQLite schema and insert statements, certificate parsing with the cryptography library)
Remove the entire 'Key Concepts' table — Claude already knows what CT, Merkle trees, SCTs, and precertificates are. If any term needs clarification, define it inline where first used.
Move the detailed scenarios, tools list, and output format into separate referenced files (e.g., SCENARIOS.md, TOOLS.md) and keep SKILL.md as a concise overview with quick-start code
Add explicit validation checkpoints in the workflow (e.g., 'Verify crt.sh response status code and JSON structure before processing', 'Validate SQLite baseline has >0 entries before starting monitoring loop')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines, explaining concepts Claude already knows (X.509 structure, Merkle trees, what CT is, what subdomain takeover means). The 'Key Concepts' table is entirely unnecessary background knowledge. The detailed scenarios, while illustrative, are padded with obvious steps. Much of this could be cut by 60%+ without losing actionable content. | 1 / 3 |
Actionability | Despite the length, there is zero executable code anywhere in the skill. No Python scripts, no curl commands, no SQL queries for the crt.sh PostgreSQL interface. Everything is described in prose ('Query crt.sh for historical certificates', 'Store in SQLite database') rather than provided as concrete, copy-paste-ready implementations. The prerequisites mention Python libraries but no code uses them. | 1 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered, covering baseline → monitoring → discovery → alerting → verification. However, there are no explicit validation checkpoints or feedback loops for error recovery. For a monitoring pipeline that involves database operations and API queries with rate limits, the absence of concrete error handling and validation steps is a gap. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of text with no references to external files. The Key Concepts table, detailed scenarios, tools list, and output format are all inline when they could be split into separate reference files. There's no layered structure — everything is dumped at the same level of detail regardless of importance. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.