disk-forensics
Analyze disk images and file systems for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' or needs to examine a forensic image.
68
83%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger term coverage and a clear 'Use when' clause that makes it highly selectable. The main weakness is that the 'what' portion could be more specific about the concrete actions performed (e.g., partition analysis, file carving, timeline generation, metadata extraction) rather than the somewhat general 'analyze disk images and file systems for digital evidence recovery.'
Suggestions
Expand the capability description with more specific concrete actions, e.g., 'Analyze partition tables, carve deleted files, extract metadata, generate timelines, and recover artifacts from disk images and file systems.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (disk images, file systems, digital forensics) and some actions (analyze, evidence recovery), but doesn't list multiple specific concrete actions like 'carve deleted files, extract metadata, analyze partition tables, recover file system artifacts.' | 2 / 3 |
Completeness | Clearly answers both 'what' (analyze disk images and file systems for digital evidence recovery) and 'when' (explicit 'Use when' clause with a comprehensive list of trigger terms and scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' and 'CTF challenges.' These are terms users would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused on disk forensics with specific tool names (autopsy, sleuthkit) and domain-specific terms (file carving, disk image, evidence recovery) that are unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, well-structured forensic analysis skill with excellent actionability — nearly every step includes executable commands with clear placeholders. The workflow is logically sequenced with appropriate safety measures (hash verification, read-only mounting, evidence handling principles). Minor weaknesses include some verbosity in listing artifacts Claude already knows about and the monolithic structure that could benefit from splitting detailed reference material into separate files.
Suggestions
Trim the system artifacts list in Step 5 — Claude already knows common browser history and log locations; focus on forensics-specific paths like $MFT, $UsnJrnl, and prefetch that are less commonly known.
Consider extracting the output format template and the detailed artifact recovery checklist into separate referenced files to improve progressive disclosure and reduce the main file's length.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient with good use of code blocks and tables, but includes some unnecessary content like the References section (Claude knows these exist), and some explanatory text that could be trimmed (e.g., 'For encrypted volumes, identify the encryption type and request the key/passphrase' is obvious). The artifact recovery section lists many items Claude already knows about. | 2 / 3 |
Actionability | Provides fully executable, copy-paste-ready commands throughout (fdisk, mmls, mount, fls, icat, foremost, exiftool, strings, bulk_extractor). Each step has concrete bash commands with clear parameter placeholders, and the output format template is directly usable. | 3 / 3 |
Workflow Clarity | Clear 8-step sequential methodology with explicit validation at Step 1 (hash verification before proceeding), read-only mounting as a safety checkpoint, and timeline construction as a cross-referencing/validation step. The anomaly detection flags in Step 8 serve as verification checkpoints. The workflow naturally builds from identification through analysis to reporting. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear sections and headers, but it's a fairly long monolithic document (~120 lines of content) with no references to supporting files. The artifact recovery section and output format template could be split into separate reference files. However, given no bundle files exist, the inline approach is the only option, and the organization within the single file is reasonable. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
2400590
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.