CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-docker-container-forensics

Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to identify malicious activity and evidence.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-sequenced forensic workflow with strong executable examples, weakened by redundant inline content that duplicates the provided reference file and by a lack of explicit validation/feedback checkpoints in a destructive evidence-handling process.

Suggestions

Replace the inlined docker inspect/dive/trivy syntax and the 'Key Concepts' fundamentals with links to references/api-reference.md to cut duplicate tokens and improve progressive disclosure.

Add an explicit validation step after evidence export (e.g., verify sha256sums, confirm tar integrity) and an error-recovery loop so destructive forensic capture has feedback checkpoints.

Reference scripts/agent.py from the Workflow section so the bundled automation is discoverable rather than orphaned.

DimensionReasoningScore

Conciseness

Mostly efficient with concrete commands, but the 'Key Concepts' table explains fundamentals Claude already knows (e.g., 'Image layers — Read-only filesystem layers stacked to form the container image', 'overlay2 — Default Docker storage driver') and the body inlines docker inspect/dive/trivy syntax that duplicates references/api-reference.md, so it could be tightened.

2 / 3

Actionability

Provides copy-paste-ready, executable bash with specific flags and output paths, plus a complete inline Python script for parsing inspect/diff output, matching the anchor for fully executable guidance.

3 / 3

Workflow Clarity

Five steps are clearly sequenced (preserve → layers → host artifacts → fs changes → scan/report), but for destructive/batch forensic work there are no explicit validation checkpoints or error-recovery loops (e.g., verify evidence hashes, retry on failed extraction), which caps workflow clarity at 2 per the rubric.

2 / 3

Progressive Disclosure

Bundle files exist (references/api-reference.md and scripts/agent.py) and are one level deep, but the body never signals or links to them — it inlines the same tool syntax the reference file already holds and does not reference agent.py, so navigation is not clearly signaled.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, third-person description with strong natural trigger terms and a clear distinct niche, but it omits an explicit 'Use when...' clause, capping completeness at 2. Adding a usage-trigger sentence would raise it to fully compliant.

Suggestions

Append an explicit trigger clause such as 'Use when investigating a compromised Docker container or host, analyzing suspicious images, or performing container incident response.'

Lead with the most common user phrasing (e.g., 'compromised Docker container') up front to maximize trigger-term match against how users phrase the request.

DimensionReasoningScore

Specificity

Enumerates multiple concrete analysis targets — 'images, layers, volumes, logs, and runtime artifacts' — paired with the explicit goal 'to identify malicious activity and evidence', matching the anchor that lists multiple specific concrete actions/targets.

3 / 3

Completeness

It clearly states what the skill does (investigate/analyze/identify) but lacks any 'Use when...' or equivalent explicit trigger clause for when Claude should invoke it, so per the rubric guideline completeness is capped at 2.

2 / 3

Trigger Term Quality

Uses natural terms a user would say when requesting this skill — 'compromised Docker containers', 'Docker images', 'volumes, logs' — giving good coverage rather than technical jargon.

3 / 3

Distinctiveness Conflict Risk

The Docker container forensics niche is specific with distinct triggers, making it unlikely to fire for unrelated skills; voice is correctly third person ('Investigate').

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.