Content
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a highly actionable skill with excellent concrete commands and tool-specific syntax covering a comprehensive range of AD attack techniques. Its main weaknesses are the lack of validation checkpoints between attack steps (e.g., confirming credential extraction succeeded before attempting lateral movement) and the monolithic structure that packs extensive content into a single file. Some minor verbosity in boilerplate sections and a duplicative quick reference table slightly reduce token efficiency.
Suggestions
Add explicit validation/verification steps between attack phases (e.g., 'Verify hash extraction: crackmapexec smb target -u user -H hash' before proceeding to lateral movement)
Split detailed attack categories (Kerberos attacks, NTLM relay, AD CS, CVEs) into separate reference files and keep SKILL.md as a concise overview with links
Remove the duplicative Quick Reference table or replace the detailed sections above with just the quick reference plus links to detailed files
Remove boilerplate sections like 'When to Use' and trim 'Inputs/Prerequisites' and 'Outputs/Deliverables' which add little value for Claude
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient with concrete commands rather than explanations, but includes some unnecessary sections like the 'Purpose' restating the description, the 'Inputs/Prerequisites' and 'Outputs/Deliverables' sections that are somewhat obvious, and the 'When to Use' boilerplate at the end. The Quick Reference table duplicates commands already shown above. Overall reasonably lean but could be tightened. | 2 / 3 |
Actionability | Excellent actionability throughout — nearly every technique includes fully executable, copy-paste-ready commands with specific tool invocations, flags, and arguments. Multiple tool alternatives are provided for each attack type, and the examples section shows complete end-to-end attack chains with numbered steps. | 3 / 3 |
Workflow Clarity | The core workflow has numbered steps for initial phases (clock sync, recon, enumeration), and the examples show sequenced attack chains. However, validation checkpoints are largely missing — there's no explicit 'verify this worked before proceeding' between steps. The ZeroLogon section notably includes a restore step, but most attack sequences lack verification/feedback loops for confirming success before moving to the next phase. | 2 / 3 |
Progressive Disclosure | The content references 'references/advanced-attacks.md' for advanced techniques, which is good progressive disclosure. However, the main file is quite long (~300+ lines) with substantial inline detail that could be split into separate reference files (e.g., Kerberos attacks, NTLM relay, AD CS attacks). The structure is well-organized with clear headers, but the monolithic nature could benefit from better splitting. | 2 / 3 |
Total | 9 / 12 Passed |