building-adversary-infrastructure-tracking-system
Build an automated system to track adversary infrastructure using passive DNS, certificate transparency, WHOIS data, and IP enrichment to map and monitor threat actor command-and-control networks.
52
58%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-adversary-infrastructure-tracking-system/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly articulating a niche cyber threat intelligence capability with concrete data sources and actions. However, it lacks an explicit 'Use when...' clause, which caps completeness, and could benefit from more natural trigger terms that users might actually say when requesting this type of work.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about tracking threat actor infrastructure, C2 networks, adversary IOCs, or infrastructure pivoting.'
Include more natural user-facing trigger terms such as 'C2 tracking', 'threat infrastructure mapping', 'IOC enrichment', 'infrastructure pivoting', or 'threat intel automation'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and data sources: passive DNS, certificate transparency, WHOIS data, IP enrichment, and the goal of mapping/monitoring threat actor C2 networks. | 3 / 3 |
Completeness | Clearly answers 'what' (build automated system to track adversary infrastructure using specific data sources), but lacks an explicit 'Use when...' clause or equivalent trigger guidance for when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Contains relevant domain-specific keywords like 'passive DNS', 'certificate transparency', 'WHOIS', 'threat actor', 'command-and-control', but these are fairly technical. Missing more natural user terms like 'C2 tracking', 'threat infrastructure', 'IOC enrichment', or 'adversary tracking'. | 2 / 3 |
Distinctiveness Conflict Risk | Highly specific niche combining threat intelligence, adversary infrastructure tracking, and multiple distinct data sources (passive DNS, cert transparency, WHOIS). Very unlikely to conflict with other skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely useful, executable code for adversary infrastructure tracking with real API integrations and graph analysis, which is its primary strength. However, it is significantly bloated with conceptual explanations Claude doesn't need (passive DNS definitions, pivoting concepts, adversary patterns), generic 'When to Use' boilerplate, and lacks validation checkpoints within the workflow steps. The monolithic structure would benefit from splitting code into separate files with a leaner overview.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands passive DNS, infrastructure pivoting, and adversary patterns. This saves ~15 lines of unnecessary context.
Replace the 'When to Use' section with a single sentence or remove it; the current bullets are generic boilerplate that adds no actionable value.
Add explicit validation checkpoints between workflow steps, e.g., 'Verify API responses contain expected fields before adding to graph' and 'Validate graph has >0 edges before running cluster analysis'.
Split the large code blocks into separate bundle files (e.g., tracker.py, graph.py, monitor.py) and reference them from a concise SKILL.md overview.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. The 'Key Concepts' section explains passive DNS, infrastructure pivoting, and adversary patterns—all concepts Claude already knows well. The 'When to Use' section is generic boilerplate. The 'Overview' paragraph restates what the title already conveys. Much of this content could be cut without losing actionable value. | 1 / 3 |
Actionability | The code is concrete, executable, and copy-paste ready. It provides real API endpoints, proper request handling, graph construction with NetworkX, and a monitoring system with report generation. The examples use actual library calls rather than pseudocode. | 3 / 3 |
Workflow Clarity | The three steps (discover, graph, monitor) are clearly sequenced, but there are no validation checkpoints between steps. There's no error handling guidance for API failures, rate limiting, or invalid data. The 'Validation Criteria' section is a checklist of expected outcomes rather than actionable verification steps integrated into the workflow. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of code and explanation in a single file with no bundle files to offload detail. The large code blocks for each step could be split into separate reference files, with the SKILL.md providing a concise overview and linking out. References section is good but all substantive content is inline. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.