analyzing-email-headers-for-phishing-investigation
Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-email-headers-for-phishing-investigation/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and domain-relevant trigger terms covering both technical protocols and common user language around phishing and email security. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others.
Suggestions
Add a 'Use when...' clause, e.g., 'Use when the user asks about suspicious emails, phishing analysis, email header inspection, or email authentication checks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'parse and analyze email headers', 'trace the origin of phishing emails', 'verify sender authenticity', 'identify spoofing through SPF, DKIM, and DMARC validation'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'email headers', 'phishing', 'sender authenticity', 'spoofing', 'SPF', 'DKIM', 'DMARC'. These cover both technical and common terms a user investigating suspicious emails would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing on email header analysis, phishing investigation, and email authentication protocols (SPF/DKIM/DMARC). Unlikely to conflict with other skills due to its specific domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels in actionability with fully executable, well-structured code examples covering the complete email header analysis workflow. However, it is significantly over-engineered for a SKILL.md — it explains concepts Claude already knows (SPF, DKIM, DMARC definitions), includes verbose reference tables and scenario descriptions, and packs everything into a single monolithic file. The workflow is logically sequenced but lacks explicit validation checkpoints and error recovery paths between steps.
Suggestions
Remove the Key Concepts table entirely — Claude already knows what SPF, DKIM, DMARC, and Received headers are. This saves ~15 lines of tokens.
Move the Common Scenarios section and Tools & Systems table to separate reference files (e.g., SCENARIOS.md, TOOLS.md) and link to them from the main skill.
Add explicit validation checkpoints between steps, e.g., 'Verify headers were extracted successfully before proceeding' and 'If SPF passes but content is suspicious, skip to Step 5 for content analysis.'
Remove the Prerequisites section — Claude doesn't need to be told it needs 'understanding of SMTP protocol' or 'access to DNS lookup tools.' Instead, just use the tools directly in the workflow.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what SPF, DKIM, DMARC are; what SMTP is; what email headers are), includes a full reference table of basic concepts, describes four detailed scenarios narratively, and has a lengthy prerequisites section. The Key Concepts table and Tools & Systems table add significant token overhead for information Claude already possesses. | 1 / 3 |
Actionability | The skill provides fully executable Python scripts and bash commands throughout every step. Code is copy-paste ready with real library imports (pypff, pyspf, email, Levenshtein), concrete dig commands, API calls with curl, and specific file paths. Each step has working code rather than pseudocode. | 3 / 3 |
Workflow Clarity | The five steps are clearly sequenced and logically ordered (extract → parse → validate → analyze infrastructure → examine body). However, there are no explicit validation checkpoints or feedback loops between steps — no 'if SPF fails, then do X' branching, no verification that header extraction succeeded before parsing, and no error recovery guidance for common failure modes. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files. Everything — extraction, parsing, SPF/DKIM/DMARC validation, domain analysis, body examination, concepts tables, scenarios, and output format — is crammed into a single file. The Key Concepts table, Tools & Systems table, and Common Scenarios sections could easily be separate reference files, significantly reducing the main skill's token footprint. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
9a588e6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.