analyzing-disk-image-with-autopsy
Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.
63
55%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-disk-image-with-autopsy/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly identifying a niche forensic analysis skill tied to the Autopsy tool. Its main weaknesses are the absence of an explicit 'Use when...' clause and limited coverage of natural trigger terms users might employ when needing this skill.
Suggestions
Add a 'Use when...' clause, e.g., 'Use when the user needs to analyze disk images, investigate digital evidence, or perform computer forensics.'
Include additional natural trigger terms and file format references such as 'digital forensics', 'deleted file recovery', 'evidence analysis', '.E01', '.dd', 'incident response', or 'file carving'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'forensic analysis of disk images', 'recover files', 'examine artifacts', and 'build investigation timelines'. These are distinct, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes good terms like 'forensic analysis', 'disk images', 'Autopsy', 'recover files', and 'artifacts', but misses common user variations like 'digital forensics', 'evidence', 'deleted files', 'file carving', '.E01', '.dd', or 'incident response'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'forensic analysis', 'disk images', and 'Autopsy' creates a very clear niche that is unlikely to conflict with other skills. This is a highly specialized domain with distinct terminology. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, concrete forensic analysis guidance with real executable commands and detailed GUI instructions, which is its primary strength. However, it is excessively verbose, includes concept explanations Claude doesn't need, and dumps everything into a single monolithic document without any progressive disclosure or external references. The workflow lacks explicit validation checkpoints critical for forensic operations where evidence integrity is paramount.
Suggestions
Remove the Key Concepts table, Tools & Systems table, and Common Scenarios section—either move them to separate reference files or eliminate them entirely, as Claude already understands these concepts.
Add explicit validation checkpoints: verify image hash before and after analysis, validate recovered files, and include a chain-of-custody verification step in the workflow.
Split content into SKILL.md (overview + core workflow) with references to separate files like INGEST_MODULES.md, CLI_REFERENCE.md, and SCENARIOS.md.
Trim the Prerequisites section to only forensic-specific requirements Claude wouldn't know (e.g., hash database locations), removing obvious items like RAM recommendations and JRE requirements.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~200+ lines. Explains basic concepts Claude already knows (what MFT is, what file carving is, what NTFS is). The Key Concepts and Tools tables are largely unnecessary padding. Prerequisites list system requirements Claude doesn't need to memorize. The Common Scenarios section describes workflows at a high level without adding actionable value beyond what the main workflow already covers. | 1 / 3 |
Actionability | Provides fully executable CLI commands with real tool names, flags, and example outputs. Both GUI steps and CLI alternatives are concrete and copy-paste ready. Commands like fls, icat, mactime, mmls are shown with proper syntax, offsets, and output paths. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-6) covering the full forensic workflow, but there are no explicit validation checkpoints or feedback loops. For forensic analysis involving evidence integrity, there should be hash verification steps after recovery, validation of recovered files, and explicit chain-of-custody verification points. The Data Source Integrity module is mentioned but not enforced as a checkpoint. | 2 / 3 |
Progressive Disclosure | Monolithic wall of text with no references to external files. Everything is inline—installation, configuration, analysis, scenarios, output format, concept tables, and tool references. Content like the Key Concepts table, Tools table, Common Scenarios, and detailed ingest module descriptions could easily be split into separate reference files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.