analyzing-email-headers-for-phishing-investigation
Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-email-headers-for-phishing-investigation/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and distinctive trigger terms covering email security analysis. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical terms are well-chosen and naturally align with what users investigating phishing or email spoofing would say.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about suspicious emails, phishing investigation, email header analysis, or email authentication failures.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'parse and analyze email headers', 'trace the origin of phishing emails', 'verify sender authenticity', 'identify spoofing through SPF, DKIM, and DMARC validation'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'email headers', 'phishing', 'sender authenticity', 'spoofing', 'SPF', 'DKIM', 'DMARC'. These cover both technical and common terms a user investigating suspicious emails would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused on email header analysis, phishing investigation, and email authentication protocols (SPF/DKIM/DMARC). Unlikely to conflict with other skills due to its very specific domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels at actionability with comprehensive, executable code examples covering the full email header analysis workflow. However, it is significantly over-engineered for a SKILL.md file - the verbose concept explanations, tool tables, and scenario descriptions bloat the content well beyond what Claude needs. The lack of progressive disclosure means this entire document loads into context every time, wasting tokens on reference material that should be in separate files.
Suggestions
Move the Key Concepts table, Tools & Systems table, and Common Scenarios section into separate reference files (e.g., CONCEPTS.md, SCENARIOS.md) and link to them from the main skill
Remove explanatory descriptions that Claude already knows (e.g., what SPF/DKIM/DMARC are, what WHOIS does) and keep only the actionable commands and code
Add explicit validation checkpoints between steps, such as 'Verify headers were extracted successfully before proceeding to parsing' and 'Confirm SPF/DKIM results before drawing conclusions about spoofing'
Consolidate the Python scripts into a more compact format - several could be combined, and inline comments could replace the surrounding prose explanations
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what SPF, DKIM, DMARC are in a table), includes lengthy prerequisite lists, describes common scenarios narratively, and has substantial boilerplate. The Key Concepts table and Tools & Systems table add little value for Claude. | 1 / 3 |
Actionability | The skill provides fully executable Python scripts and bash commands throughout - from PST extraction to header parsing, SPF validation, DKIM checking, URL extraction, and attachment hashing. Code is copy-paste ready with real library imports and concrete examples. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logical (extract → parse → validate → analyze infrastructure → examine body). However, there are no explicit validation checkpoints or feedback loops - no 'verify this before proceeding' gates or error recovery steps between the analysis stages. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with no references to external files. The Key Concepts table, Tools & Systems table, Common Scenarios section, and detailed code examples could all be split into separate reference files. Everything is inline in one massive document. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.