analyzing-linux-elf-malware
Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware, and rootkits targeting Linux servers, containers, and cloud infrastructure. Covers static analysis, dynamic tracing, and reverse engineering of x86_64 and ARM ELF samples. Activates for requests involving Linux malware analysis, ELF binary investigation, Linux server compromise assessment, or container malware analysis.
85
82%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope (Linux ELF malware analysis), lists specific capabilities (static analysis, dynamic tracing, reverse engineering), enumerates target malware types and platforms, and includes an explicit activation clause with natural trigger terms. It is well-structured, concise, uses third-person voice throughout, and occupies a clearly distinct niche.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and targets: 'static analysis, dynamic tracing, and reverse engineering of x86_64 and ARM ELF samples' along with specific malware types (botnets, cryptominers, ransomware, rootkits) and environments (servers, containers, cloud infrastructure). | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes malicious ELF binaries via static analysis, dynamic tracing, reverse engineering) and 'when' with an explicit trigger clause: 'Activates for requests involving Linux malware analysis, ELF binary investigation, Linux server compromise assessment, or container malware analysis.' | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'Linux malware', 'ELF binary', 'malicious', 'botnets', 'cryptominers', 'ransomware', 'rootkits', 'reverse engineering', 'container malware', 'Linux server compromise'. These are terms analysts would naturally use when seeking help. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Linux ELF malware analysis. The combination of Linux-specific, ELF-specific, and malware-specific terms makes it very unlikely to conflict with general code analysis, Windows malware, or other security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a thorough and highly actionable Linux ELF malware analysis skill with excellent executable examples covering static analysis, dynamic tracing, and reverse engineering. Its main weaknesses are the lack of validation checkpoints for safety-critical operations (running malware, even in sandboxes), some redundant definitional content that Claude doesn't need, and a monolithic structure that could benefit from progressive disclosure via external reference files.
Suggestions
Add explicit safety validation checkpoints before dynamic analysis steps (e.g., 'Verify VM snapshot exists and network is isolated before executing suspect binary', 'Confirm architecture match before running strace')
Remove or significantly trim the Key Concepts table and Tools & Systems section—Claude already knows what ELF, strace, GDB, and Mirai are; keep only project-specific conventions
Split detailed content (Ghidra analysis guide, common scenarios, output format template) into separate referenced files to improve progressive disclosure and reduce the main skill's token footprint
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary content like the Key Concepts table defining terms Claude already knows (e.g., what ELF stands for, what strace is, what Mirai is). The Tools & Systems section also restates information already evident from usage in the workflow. However, the workflow steps themselves are reasonably efficient. | 2 / 3 |
Actionability | The skill provides fully executable bash commands and Python code throughout. Every step includes copy-paste ready commands (readelf, strace, GDB breakpoints, grep patterns for IOCs). The Python ELF analysis script with pyelftools is complete and runnable. | 3 / 3 |
Workflow Clarity | The six steps are clearly sequenced and logically ordered from triage through deep analysis. However, there are no explicit validation checkpoints or feedback loops for error recovery—critical given that this involves executing potentially dangerous binaries. There's no 'verify your sandbox is isolated before proceeding' checkpoint or validation that unpacking succeeded before analysis continues. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with no references to external files for detailed topics. The Ghidra section, common scenarios, and output format could be split into separate reference files. The document is quite long (~200+ lines of substantive content) and would benefit from a quick-start overview with links to detailed guides. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.