analyzing-linux-kernel-rootkits
Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
60
51%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-linux-kernel-rootkits/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific skill description that excels at naming concrete tools, techniques, and outputs for Linux rootkit detection. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical depth and tool specificity make it very distinctive and unlikely to conflict with other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about rootkit detection, Linux memory forensics, suspicious kernel modules, or analyzing memory dumps for malware.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting kernel-level rootkits, using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, /proc vs /sys discrepancy analysis, identifying hooked syscalls, hidden kernel modules, and tampered system structures. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with detailed capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through the specificity of the described actions. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would use: 'rootkit', 'kernel', 'Linux', 'memory dump', 'Volatility3', 'rkhunter', 'syscall', 'hidden modules', 'hooked syscalls'. These are precisely the terms a security analyst would use when requesting this type of analysis. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining kernel-level rootkit detection, specific tools (Volatility3, rkhunter), and Linux memory forensics. Very unlikely to conflict with other skills due to the specialized domain and specific tool references. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a conceptual overview or blog post about rootkit detection than an actionable skill for Claude. It lacks executable commands (no actual Volatility3 CLI invocations, no rkhunter commands, no shell scripts for cross-view analysis), explains concepts Claude already knows, and includes a fabricated tool output for a script that doesn't exist. The workflow steps are too abstract to be directly useful.
Suggestions
Replace the abstract steps with concrete, executable commands: e.g., `vol -f /evidence/linux-mem.lime linux.check_syscall.Check_syscall`, `vol -f /evidence/linux-mem.lime linux.hidden_modules.Hidden_modules`, `sudo rkhunter --check --skip-keypress`
Add actual cross-view analysis commands: e.g., `diff <(cat /proc/modules | awk '{print $1}' | sort) <(ls /sys/module/ | sort)` instead of just describing the concept
Remove the overview paragraph explaining what kernel rootkits are and the generic 'When to Use' section — Claude knows these concepts. Use that space for actual tool invocations and interpretation guidance.
Trim the example output significantly to show only the key detection patterns (hooked syscall table entry, hidden module entry, /proc discrepancy) rather than a full fabricated report from a non-existent tool.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview explains what kernel rootkits are and how they work at ring 0 — concepts Claude already knows. The 'When to Use' section is generic boilerplate that adds no value. The massive example output (60+ lines) is verbose and could be drastically reduced to show the key patterns without full ASCII table formatting. | 1 / 3 |
Actionability | Despite being a technical skill, there are zero executable commands or code snippets. Steps like 'Run linux.check_syscall' and 'Compare module lists' are vague descriptions rather than concrete, copy-paste-ready Volatility3 commands or shell scripts. The example output references a non-existent 'rootkit_analyzer.py' script with no implementation provided. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence (acquire → analyze → cross-view → live scan), but they lack specific commands, validation checkpoints, and error recovery guidance. There's no feedback loop for when analysis is inconclusive or when symbol tables don't match, which are common failure modes in memory forensics. | 2 / 3 |
Progressive Disclosure | The content has some structural organization with headers and steps, but it's somewhat monolithic — the enormous example output is inline rather than referenced separately. There are no references to supplementary files for detailed plugin usage, symbol table setup, or interpretation guides. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.