building-adversary-infrastructure-tracking-system
Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-adversary-infrastructure-tracking-system/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, domain-specific description that clearly articulates concrete capabilities and uses natural terminology from the threat intelligence field. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The specificity and distinctiveness are excellent for a niche cybersecurity skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about tracking threat actor infrastructure, C2 detection, passive DNS analysis, or mapping adversary networks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and data sources: passive DNS, certificate transparency, WHOIS data, IP enrichment, mapping and monitoring threat actor C2 networks. These are concrete, well-defined capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (build automated tracking system using specific data sources to map C2 networks), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a threat intelligence analyst would use: 'adversary infrastructure', 'passive DNS', 'certificate transparency', 'WHOIS', 'IP enrichment', 'threat actor', 'command-and-control', 'C2 networks'. Good coverage of domain-specific terms users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused on adversary infrastructure tracking with specific techniques (passive DNS, cert transparency, WHOIS, IP enrichment). Unlikely to conflict with other skills due to the very specialized threat intelligence domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely executable, well-structured Python code for adversary infrastructure tracking, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (key concepts, generic 'when to use' section), and the workflow lacks validation checkpoints and error handling critical for a system making external API calls. The monolithic structure with large inline code blocks would benefit from progressive disclosure via separate reference files.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands passive DNS, infrastructure pivoting, and adversary patterns. This saves ~15 lines of unnecessary context.
Remove or drastically shorten the 'When to Use' section, which is generic boilerplate that adds no actionable value.
Add explicit validation checkpoints between workflow steps: verify API responses, validate graph integrity after adding discoveries, and include error handling/retry logic for API rate limits and failures.
Move the full class implementations to separate referenced files (e.g., tracker.py, graph.py, monitor.py) and keep only concise usage examples in the SKILL.md.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. The 'Key Concepts' section explains passive DNS, infrastructure pivoting, and adversary patterns—concepts Claude already understands. The 'When to Use' section is generic boilerplate. The overview paragraph restates what the title already conveys. Much of the code includes obvious comments and could be significantly tightened. | 1 / 3 |
Actionability | The code is concrete, executable, and copy-paste ready with real API endpoints, proper request handling, and complete class implementations. It covers the full pipeline from passive DNS lookup through graph building to monitoring, with specific library usage and API calls. | 3 / 3 |
Workflow Clarity | The three steps are logically sequenced (discover → graph → monitor), but there are no validation checkpoints between steps. No error handling for API failures, rate limiting, or bad data. The 'Validation Criteria' section is a checklist of expected outcomes rather than actionable verification steps integrated into the workflow. Missing feedback loops for a system that involves external API calls and data quality issues. | 2 / 3 |
Progressive Disclosure | The content is largely monolithic—hundreds of lines of code inline with no references to separate files for the full class implementations, configuration templates, or advanced usage. The references section links to external resources but the skill itself could benefit from splitting the large code blocks into referenced files while keeping the SKILL.md as an overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.