RFC - Claude Skill for Cryptographic Discovery — Seeking Feedback from the Community

[C W]

Hello all,

I am sharing an open-source project and calling on practitioners to test it against their own system architecture diagrams. Your real-world feedback is what I need most.

The Problem

Architecture diagrams are drawn to communicate functionality and data flow — not security properties. Cryptographic controls (TLS configurations, key types, cipher suites, certificate authorities, key storage, signing mechanisms) are almost never explicitly captured in diagrams. This makes cryptographic discovery heavily dependent on the knowledge and experience of whoever is doing the review.

What I Built

A Claude AI skill that guides practitioners through a structured, interactive cryptographic discovery process against an architecture diagram. The goal is to systematically surface cryptographic assets that diagrams typically omit — and flag gaps where cryptographic controls would be expected but are unconfirmed.

The skill works through seven stages:

1. Context intake — environment, data classification, internet exposure
2. Component extraction — six categories covering components, connections, storage, boundaries, external systems, and entry points
3. User verification of extracted components
4. Exposure prioritisation — internet-facing flows, long-lived secret data, long-lived trust anchors, internal
5. Targeted gap prompting — per component, in priority order, strictly scoped to cryptographic controls only
6. Output: Cryptographic Inventory (with confidence levels) + Verification Worklist (classical gaps + PQC risk)
7. Summary and recommended next actions

Every discovered asset is assessed for post-quantum risk using NIST PQC standards (ML-KEM FIPS 203, ML-DSA FIPS 204, SLH-DSA FIPS 205, FN-DSA FIPS 206) as reference points for migration planning.

What I Need From You

I need practitioners to test this against their own architecture diagrams — real systems, sanitised if needed — and answer these specific questions:

1. Did the skill identify the right components? Were any components, connections, or boundaries missed during extraction?
2. Were the gap prompting questions useful? Did the questions actually surface cryptographic assets or gaps you hadn't explicitly documented?
3. Were any important questions missing? What did the skill fail to ask that it should have?
4. Was the output actionable? Did the Cryptographic Inventory and Verification Worklist give you something concrete to work with?
5. Were any steps confusing or incorrect? Did any stage produce wrong, misleading, or irrelevant output?

The discovery methodology — the questions asked at each stage — is the core of this tool. That is what I most need validated by people testing it against real systems.

How to Try It

1. Install Claude at claude.ai
2. Download and install the skill from the GitHub repository below
3. Upload your architecture diagram and say: "identify the cryptographic assets in my system"
4. Work through the interactive session
5. Post your feedback in the Issues tab of the repository

GitHub Repository

https://github.com/weiwenweiwenweiwen/cryptographic-discovery-skill

All diagram types welcome — cloud, on-prem, hybrid, microservices, PKI, legacy. The more varied the architectures tested, the more robust the methodology becomes.

Thank you in advance. Honest feedback — including where it fails — is exactly what I am looking for.

Regards,

Wei Wen

[Alex Railean]

Hi,

Running this analysis with Anthropic's infrastructure and tools in the loop might not be acceptable. Have you tried it with self-hosted LLMs and alternatives like OpenCode?

Including a recipe that explains how to do this with an independent toolkit would be appreciated. For example, what models you recommend, what levels of quantization, etc.

Alex