CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-linux-kernel-rootkits

Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.

57

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is well-sectioned and names the right tools, but it explains concepts Claude already knows, lacks executable commands and validation checkpoints in the body, and fails to link to its own bundle files. Tightening the example and surfacing the references/script would lift every dimension.

Suggestions

Replace or trim the long fabricated Example Output and move the executable vol/rkhunter commands from references/api-reference.md into the Steps (or add explicit "See references/api-reference.md" links).

Reference scripts/agent.py directly (e.g. "Run scripts/agent.py --memory <dump>") since the example output already invokes rootkit_analyzer.py.

Add validation checkpoints to the workflow, such as verifying the Volatility3 ISF matches the target kernel version before analysis and re-running a plugin on JSON parse failure.

DimensionReasoningScore

Conciseness

The Overview explains concepts Claude already knows ("rootkits operate at ring 0, modifying kernel data structures...") and the ~60-line fabricated Example Output is heavy padding; mostly efficient but could be tightened, so it does not reach the lean score 3.

2 / 3

Actionability

Steps name concrete plugins (linux.check_syscall, lsmod, hidden_modules, check_idt) but provide no executable commands in the body—the real commands live only in references/api-reference.md—so guidance is concrete but incomplete rather than copy-paste ready.

2 / 3

Workflow Clarity

Four steps are clearly sequenced but there are no validation/verification checkpoints (e.g. confirming the ISF matches the target kernel, re-running on parse failure), so per the rubric cap workflow clarity stays at 2.

2 / 3

Progressive Disclosure

Bundle files exist (references/api-reference.md, scripts/agent.py) but the body never signals or links to them—the Example Output even invokes rootkit_analyzer.py without pointing to scripts/agent.py—so references are present but not clearly navigated.

2 / 3

Total

8

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, distinctive description with strong trigger terms for the forensics audience, but it omits an explicit "Use when..." activation clause. Adding trigger guidance would raise completeness from 2 to 3.

Suggestions

Append an explicit activation clause, e.g. "Use when investigating Linux kernel rootkits, analyzing memory dumps with Volatility3, or hunting hidden kernel modules and hooked syscalls."

Add common user phrasings like "memory forensics" or "malware analysis" alongside the tool names to broaden trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions—"Detect kernel-level rootkits", "rkhunter system scanning", "/proc vs /sys discrepancy analysis", "identify hooked syscalls, hidden kernel modules, and tampered system structures"—matching the multi-action anchor rather than the single-domain score 2.

3 / 3

Completeness

Clearly states what the skill does but has no "Use when..." clause or equivalent trigger guidance, so per the rubric guideline completeness is capped at 2 rather than reaching the explicit-when score 3.

2 / 3

Trigger Term Quality

Covers natural forensics terms a user would actually say—"rootkits", "Linux memory dumps", "Volatility3", "rkhunter", "kernel modules"—rather than abstract jargon; not reduced to 2 because the domain-specific terms are well covered for this audience.

3 / 3

Distinctiveness Conflict Risk

The niche is highly specific (Linux kernel rootkits via Volatility3/rkhunter) with distinct triggers unlikely to collide with other skills, matching the clear-niche anchor.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.