analyzing-email-headers-for-phishing-investigation
Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-email-headers-for-phishing-investigation/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and domain-relevant trigger terms covering both technical protocols and common user language around phishing and email security. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others.
Suggestions
Add a 'Use when...' clause, e.g., 'Use when the user asks about suspicious emails, phishing investigation, email header analysis, or email authentication checks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'parse and analyze email headers', 'trace the origin of phishing emails', 'verify sender authenticity', 'identify spoofing through SPF, DKIM, and DMARC validation'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'email headers', 'phishing', 'sender authenticity', 'spoofing', 'SPF', 'DKIM', 'DMARC'. These cover both technical and common terms a user investigating suspicious emails would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing on email header analysis, phishing investigation, and email authentication protocols (SPF/DKIM/DMARC). Unlikely to conflict with other skills due to its specific domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels at actionability with comprehensive, executable code examples covering the full email header analysis workflow. However, it is far too verbose for a skill file - it includes concept explanations, tool descriptions, and scenario narratives that Claude already knows or that should be in separate reference files. The workflow lacks validation checkpoints between steps, and the entire content is monolithic with no progressive disclosure.
Suggestions
Move the Key Concepts table, Tools & Systems table, and Common Scenarios section to separate reference files (e.g., CONCEPTS.md, SCENARIOS.md) and link to them from the main skill.
Remove explanatory content Claude already knows - the prerequisite list, concept definitions (SPF, DKIM, DMARC descriptions), and tool purpose descriptions are unnecessary padding.
Add explicit validation checkpoints between steps, e.g., 'Verify headers were extracted correctly before proceeding to authentication checks' and 'Confirm SPF/DKIM/DMARC results before drawing conclusions about spoofing.'
Condense the four Common Scenarios into a brief decision-tree or checklist format rather than narrative paragraphs.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what SPF, DKIM, DMARC are in a table), includes lengthy prerequisite lists, describes common scenarios narratively, and has substantial boilerplate. The Key Concepts table and Tools & Systems table add little value for Claude. | 1 / 3 |
Actionability | The skill provides fully executable Python scripts and bash commands throughout every step - from PST extraction to header parsing, SPF validation, domain analysis, and attachment hashing. Code is copy-paste ready with real library imports and concrete examples. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered, but lacks explicit validation checkpoints and feedback loops. There's no 'verify your results before proceeding' step, no error handling guidance, and no checkpoint between steps to confirm findings before moving to the next analysis phase. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with no references to external files. The Key Concepts table, Tools & Systems table, Common Scenarios section, and detailed code examples could all be split into separate reference files. Everything is inlined in one massive document. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.