analyzing-email-headers-for-phishing-investigation
Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify spoofing through SPF, DKIM, and DMARC validation.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-email-headers-for-phishing-investigation/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and distinctive trigger terms covering email security analysis. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. Adding that clause would make this description exemplary.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about suspicious emails, email header analysis, phishing investigation, or email authentication checks.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'parse and analyze email headers', 'trace the origin of phishing emails', 'verify sender authenticity', 'identify spoofing through SPF, DKIM, and DMARC validation'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'email headers', 'phishing', 'sender authenticity', 'spoofing', 'SPF', 'DKIM', 'DMARC'. These cover both technical and common terms a user investigating suspicious emails would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing on email header analysis, phishing investigation, and email authentication protocols (SPF/DKIM/DMARC). Unlikely to conflict with other skills due to the very specific domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels in actionability with complete, executable code examples across all steps, making it genuinely useful for email header analysis. However, it is significantly over-engineered for a SKILL.md file — concept tables, tool descriptions, and scenario narratives inflate the token count without adding proportional value. The monolithic structure with no progressive disclosure and the absence of validation checkpoints in the workflow are notable weaknesses.
Suggestions
Remove the 'Key Concepts' and 'Tools & Systems' tables entirely — Claude already knows what SPF, DKIM, DMARC, and common security tools are.
Move the 'Common Scenarios' section and 'Output Format' template to separate referenced files (e.g., SCENARIOS.md, OUTPUT_TEMPLATE.md) to reduce the main file size.
Add explicit validation checkpoints between steps, such as verifying header parsing succeeded before DNS lookups, and checking DNS query results before drawing conclusions.
Remove the 'Prerequisites' section — it describes knowledge requirements rather than providing actionable setup instructions.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It includes unnecessary concept explanations (SPF, DKIM, DMARC definitions that Claude already knows), a full 'Key Concepts' table explaining basic email terminology, a 'Tools & Systems' table listing well-known tools with obvious descriptions, and four detailed scenario narratives that add bulk without actionable value. The 'Prerequisites' section lists things like 'Understanding of SMTP protocol' which is instruction to Claude about what it should know, not actionable guidance. | 1 / 3 |
Actionability | The skill provides fully executable Python scripts and bash commands throughout all five steps. Code is copy-paste ready with real library imports (pypff, pyspf, email, Levenshtein), concrete dig commands, API calls with proper headers, and specific file paths. The examples are complete and functional rather than pseudocode. | 3 / 3 |
Workflow Clarity | The five steps are clearly sequenced and logically ordered from extraction through analysis. However, there are no explicit validation checkpoints or feedback loops — for instance, no verification that header parsing succeeded before proceeding to SPF/DKIM checks, no error handling for failed DNS lookups, and no decision points for when authentication results are ambiguous. For a forensic investigation workflow, missing validation steps are notable. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files and no bundle structure. The Key Concepts table, Tools & Systems table, four Common Scenarios, and the Output Format template could all be split into separate reference files. Everything is inlined, making the skill unnecessarily long for the main SKILL.md file. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.