active-directory-attacks
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", ...
Install with Tessl CLI
npx tessl i github:sickn33/antigravity-awesome-skills --skill active-directory-attacks72
Quality
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/active-directory-attacks/SKILL.mdQuality
Discovery
44%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has strong trigger term coverage with specific AD attack terminology but critically fails to explain what the skill actually does. It reads as a list of when-to-use triggers without any capability description, making it impossible for Claude to understand what actions this skill enables.
Suggestions
Add a capability statement at the beginning describing concrete actions (e.g., 'Performs Active Directory penetration testing including domain enumeration, credential extraction, and privilege escalation attacks.')
Restructure to follow the pattern: '[What it does]. Use when [triggers]' - currently only the trigger portion exists
Convert the ellipsis to a complete list or use 'and similar AD attack techniques' to indicate scope without trailing off
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists attack technique names but does not describe any concrete actions the skill performs. It only states when to use it, not what it actually does (e.g., 'enumerate domain users', 'extract credentials', 'generate attack paths'). | 1 / 3 |
Completeness | The description only addresses 'when' (trigger terms) but completely omits 'what' - there is no explanation of what capabilities or actions this skill provides. The rubric states missing what OR when should score 1. | 1 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'attack Active Directory', 'exploit AD', 'Kerberoasting', 'DCSync', 'pass-the-hash', 'BloodHound enumeration', 'Golden Ticket' are all specific, recognizable terms security professionals would use. | 3 / 3 |
Distinctiveness Conflict Risk | The Active Directory attack terminology is highly specific and unlikely to conflict with other skills. Terms like 'Kerberoasting', 'DCSync', and 'Golden Ticket' are distinct to AD security testing. | 3 / 3 |
Total | 8 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality, comprehensive AD attack skill that excels in actionability and conciseness. The content provides executable commands for all major attack vectors with excellent organization. The main weakness is the lack of explicit validation checkpoints in multi-step attack workflows, which is important given the potentially destructive nature of some operations (e.g., ZeroLogon password changes).
Suggestions
Add explicit validation/verification steps after critical operations, especially for ZeroLogon (verify DC still functional before/after), DCSync (confirm hash extraction succeeded), and Golden Ticket creation (verify ticket works before proceeding)
Include a pre-flight checklist for attack operations that verifies prerequisites are met (e.g., 'Confirm clock sync: date; Confirm domain connectivity: nmap -p445 DC')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is highly efficient with minimal explanatory fluff. It assumes Claude knows what AD, Kerberos, and these tools are, jumping straight to executable commands without explaining basic concepts. | 3 / 3 |
Actionability | Excellent actionability with copy-paste ready commands throughout. Every attack technique includes specific, executable command examples with proper syntax for multiple tools (Impacket, Mimikatz, Rubeus, etc.). | 3 / 3 |
Workflow Clarity | While the core workflow has numbered steps and the examples show attack chains, validation checkpoints are largely missing. For destructive operations like ZeroLogon, the restore step is mentioned but there's no explicit 'verify before proceeding' pattern throughout most attack sequences. | 2 / 3 |
Progressive Disclosure | Well-structured with clear sections, quick reference table for common operations, and appropriate delegation to external file (references/advanced-attacks.md) for advanced techniques. Content is organized for easy navigation without deep nesting. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.