pt-planning-recon
Defines penetration test scope and performs authorized reconnaissance using passive and active methods. Use when planning a test engagement, collecting target intelligence, building asset inventories, or preparing recon findings.
79
68%
Does it follow best practices?
Impact
96%
1.15xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/pt-planning-recon/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is well-structured with a clear 'Use when' clause that covers multiple trigger scenarios, making it strong on completeness and distinctiveness. However, it could benefit from more specific concrete actions (e.g., DNS lookups, WHOIS queries, port scanning) and additional natural trigger terms (e.g., 'pentest', 'OSINT', 'footprinting') to improve specificity and keyword coverage.
Suggestions
Add specific concrete actions such as 'DNS enumeration, WHOIS lookups, port scanning, subdomain discovery, OSINT gathering' to improve specificity.
Include common natural trigger term variations like 'pentest', 'OSINT', 'footprinting', 'enumeration', 'attack surface mapping' in the description or 'Use when' clause.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (penetration testing) and mentions some actions like 'defines scope', 'performs reconnaissance', 'passive and active methods', but doesn't list multiple specific concrete actions (e.g., DNS enumeration, WHOIS lookups, port scanning, subdomain discovery). | 2 / 3 |
Completeness | Clearly answers both 'what' (defines pen test scope, performs authorized recon using passive/active methods) and 'when' (explicit 'Use when' clause covering planning engagements, collecting intelligence, building inventories, preparing findings). | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'penetration test', 'reconnaissance', 'recon', 'target intelligence', 'asset inventories', but misses common natural variations users might say such as 'pentest', 'OSINT', 'footprinting', 'enumeration', 'attack surface'. | 2 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche around penetration test scoping and reconnaissance specifically, with distinct triggers like 'test engagement', 'target intelligence', and 'recon findings' that are unlikely to conflict with other security or general skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a solid, well-structured workflow for pen test planning and reconnaissance with appropriate safety guardrails and a useful output template. Its main weakness is the lack of concrete, executable examples—no specific tool commands, queries, or real-world examples are provided, keeping the guidance at an abstract instructional level. The structure and safety considerations are strengths, but actionability would benefit significantly from tool-specific examples.
Suggestions
Add concrete command examples for key recon steps (e.g., specific nmap, dig, subfinder, or amass commands with recommended flags and safe defaults).
Include a brief worked example showing a sample recon output populated with realistic (fictional) data to demonstrate expected deliverable quality.
Consider splitting tool-specific guidance into a referenced file (e.g., RECON_TOOLS.md) to keep the main skill lean while providing depth.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient and doesn't over-explain concepts Claude already knows, but some bullet points are somewhat generic (e.g., 'Deduplicate assets and map to owners/business function when known') and could be tightened. The output template adds useful structure but is partially redundant with the workflow description. | 2 / 3 |
Actionability | The skill provides a clear process and output template, but lacks concrete executable commands or tool-specific examples. For a recon skill, specific commands (e.g., nmap flags, dig queries, subfinder usage) or at least named tool recommendations would significantly improve actionability. The guidance remains at the descriptive/instructional level rather than copy-paste ready. | 2 / 3 |
Workflow Clarity | The workflow is clearly sequenced with a logical progression: confirm scope → passive recon → active recon → normalize → handoff. The 'Quality Checks' section serves as a validation checkpoint, and the explicit requirement to confirm authorization before proceeding and log every command provides appropriate safeguards for this high-risk domain. | 3 / 3 |
Progressive Disclosure | The content is well-organized with clear sections and a useful output template, but everything is inline in a single file. For a skill of this complexity, references to separate files for tool-specific commands, example recon reports, or detailed methodology guides would improve navigation and reduce the main file's density. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- santosomar/ethical-hacking-agent-skills
- Commit
9976e81
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.