CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-email-headers-for-phishing-investigation

Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.

61

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-sequenced forensic workflow with strong executable examples, weakened by verbosity, absent validation checkpoints, and bundle files that exist but are never linked from the SKILL.md body.

Suggestions

Replace the inline tool/API details and the Key Concepts table with links to the existing references/api-reference.md to reduce duplication and token cost.

Reference scripts/agent.py from the body so the provided bundle file is discoverable and used.

Add explicit validation checkpoints (e.g. "Confirm SPF/DKIM results before judging spoofing"; "If a Received hop is missing timestamps, flag the chain as unreliable") to lift workflow clarity.

DimensionReasoningScore

Conciseness

Mostly efficient with executable code, but verbose inline comments and a "Key Concepts" table restating well-known SPF/DKIM/DMARC basics could be tightened to leaner form.

2 / 3

Actionability

Provides fully executable Python, dig, curl, whois, and hashing commands with concrete examples and real flag usage — copy-paste ready.

3 / 3

Workflow Clarity

The five steps are clearly sequenced (extract → parse → validate → analyze infrastructure → examine body), but there are no explicit validation checkpoints or error-recovery feedback loops, so it sits below the anchor-3 bar.

2 / 3

Progressive Disclosure

Sections are reasonably organized, but bundle files (references/api-reference.md, scripts/agent.py) are never referenced from the body and API-reference material is duplicated inline rather than split out and signaled.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, third-person description with strong trigger terms and a clear niche, but it lacks an explicit "Use when..." clause so the "when to use" half of completeness is only implied.

Suggestions

Append an explicit trigger clause, e.g. "Use when investigating a suspected phishing email, verifying sender authenticity, or tracing email origin via SPF/DKIM/DMARC."

Add common user phrasings such as "phishing", "email spoofing", or "suspicious email" as natural trigger keywords to reinforce the when-to-use signal.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — "Parse and analyze email headers", "trace the origin of phishing emails", "verify sender authenticity", "identify spoofing through SPF, DKIM, and DMARC validation" — matching the multi-action anchor.

3 / 3

Completeness

It clearly answers "what" but contains no explicit "Use when..." trigger clause, so per the guideline a missing explicit trigger caps completeness at 2.

2 / 3

Trigger Term Quality

Uses natural terms a forensics user would say — "email headers", "phishing emails", "spoofing", and the SPF/DKIM/DMARC acronyms — giving good coverage of likely trigger phrases.

3 / 3

Distinctiveness Conflict Risk

The email-header phishing-investigation niche is distinct and unlikely to trigger for unrelated skills, matching the clear-niche anchor.

3 / 3

Total

11

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

relative_links

Relative link issues: 1 missing

Warning

Total

14

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.