CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-heap-spray-exploitation

Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns, shellcode landing zones, and suspicious large allocations in process virtual address space.

52

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is reasonably structured and concise but stops at describing actions rather than giving executable commands, omits validation checkpoints, and fails to link its own reference bundle, leaving every dimension at 2.

Suggestions

Add executable Volatility3 commands directly in each step (e.g., `vol -f dump.raw windows.malfind` and `vol -f dump.raw windows.vadinfo`) instead of only naming the plugins.

Link to references/api-reference.md from the body so the command tables, NOP-sled patterns, and shellcode signatures are discoverable (e.g., 'See [api-reference.md](references/api-reference.md) for full plugin commands and detection thresholds').

Insert a validation checkpoint before dumping memory (e.g., confirm RWX regions and >=1MB allocations before running memmap --dump) to satisfy the destructive/batch feedback-loop requirement.

Trim the Overview's explanation of what heap spraying is, keeping only the detection-relevant specifics.

DimensionReasoningScore

Conciseness

The Overview paragraph explains what heap spraying is ('fills large regions of a process's heap... to increase the reliability of code execution exploits'), a concept Claude already knows; the body is otherwise short but could be tightened, so it does not reach the lean level 3.

2 / 3

Actionability

Steps name concrete plugins (windows.malfind, windows.vadinfo) but give no executable 'vol -f ...' commands or code in the body; the real commands exist only in the unlinked references/api-reference.md, leaving guidance incomplete rather than copy-paste ready.

2 / 3

Workflow Clarity

Four steps are clearly sequenced but no validation/checkpoint steps appear; since this involves batch memory-dump extraction, the guideline caps workflow clarity at 2, above the level 1 'steps unclear' anchor.

2 / 3

Progressive Disclosure

Sections are organized (Overview, When to Use, Prerequisites, Steps, Expected Output) and a references/api-reference.md bundle exists, but the body never signals or links to it, so the one-level-deep references are not 'well-signaled' as level 3 requires.

2 / 3

Total

8

/

12

Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and occupies a distinct niche, but it lacks an explicit 'Use when...' trigger clause and leans on technical jargon over natural user phrasing, capping completeness and trigger-term quality at 2.

Suggestions

Append an explicit 'Use when...' clause with natural triggers, e.g. 'Use when analyzing memory dumps for heap spraying, NOP sleds, shellcode injection, or suspicious large allocations.'

Soften jargon in the trigger phrasing ('process virtual address space') and add common natural variations users might say ('memory forensics', 'exploit analysis', 'heap spray').

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('Detect and analyze heap spray attacks', 'identify NOP sled patterns, shellcode landing zones, and suspicious large allocations') in third-person voice, matching the top anchor rather than the single-action level below.

3 / 3

Completeness

It clearly states what the skill does but provides no 'Use when...' trigger guidance, which per the judging guidelines caps completeness at 2 rather than 3.

2 / 3

Trigger Term Quality

Includes some natural terms a user would say ('heap spray attacks', 'memory dumps', 'NOP sled', 'shellcode') but mixes in technical jargon ('Volatility3 plugins', 'virtual address space') and omits common variations, so it does not reach the full-coverage level 3.

2 / 3

Distinctiveness Conflict Risk

The narrow heap-spray-forensics-via-Volatility3 niche is clearly distinguishable from other skills and unlikely to trigger for the wrong skill; not the level below because it is not merely 'somewhat specific'.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.