analyzing-linux-kernel-rootkits
Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules), rkhunter system scanning, and /proc vs /sys discrepancy analysis to identify hooked syscalls, hidden kernel modules, and tampered system structures.
44
45%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-linux-kernel-rootkits/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly names concrete tools (Volatility3 plugins, rkhunter), techniques (/proc vs /sys discrepancy analysis), and targets (hooked syscalls, hidden kernel modules). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The domain is niche enough that conflict risk is minimal.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about rootkit detection, Linux memory forensics, suspicious kernel modules, or analyzing memory dumps for signs of compromise.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: detecting kernel-level rootkits, checking hooked syscalls, hidden kernel modules, tampered system structures, using named tools (Volatility3 linux plugins with specific plugin names, rkhunter, /proc vs /sys discrepancy analysis). | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific tools and techniques, but there is no explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied by the nature of the described actions. Per rubric guidelines, a missing 'Use when' clause caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would use: 'rootkit', 'kernel', 'memory dump', 'Volatility3', 'lsmod', 'hidden modules', 'hooked syscalls', 'rkhunter', '/proc', '/sys'. These are precisely the terms a forensics analyst would use when requesting this type of analysis. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: kernel-level rootkit detection in Linux memory dumps using specific forensic tools. This is unlikely to conflict with other skills due to its very specialized domain and named tooling. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level overview document rather than actionable guidance. It explains concepts Claude already knows, provides no executable commands or code, and the workflow steps are vague descriptions rather than concrete instructions. The lengthy example output of a non-existent script creates the illusion of specificity without actually enabling Claude to perform the analysis.
Suggestions
Replace the vague steps with actual executable Volatility3 commands (e.g., `python3 vol.py -f memory.lime linux.check_syscall.Check_syscall`) and rkhunter commands (`sudo rkhunter --check --skip-keypress`).
Remove the overview paragraph explaining what kernel rootkits are and the generic 'When to Use' section — Claude already knows these concepts.
Add validation checkpoints: how to verify the ISF symbol table matches the kernel, how to confirm Volatility3 is reading the memory dump correctly, and what to do when plugins fail or produce no output.
Either provide the referenced 'rootkit_analyzer.py' script as a bundle file, or replace the example output with actual Volatility3 plugin output examples showing how to interpret real command results.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview explains what kernel rootkits are and how they operate at ring 0 — concepts Claude already knows. The 'When to Use' section is generic boilerplate that adds no actionable value. The example output, while illustrative, is extremely verbose at ~60 lines and dominates the skill without providing executable guidance. | 1 / 3 |
Actionability | The steps are entirely vague descriptions ('Run linux.check_syscall...', 'Compare module lists...') with no executable commands, no actual Volatility3 command-line syntax, no rkhunter commands, and no concrete code. The example output shows a hypothetical 'rootkit_analyzer.py' script that doesn't exist and isn't provided. There is nothing copy-paste ready. | 1 / 3 |
Workflow Clarity | The four steps are high-level descriptions without specific commands, validation checkpoints, or error recovery. For a multi-step forensic workflow involving destructive/sensitive operations like memory analysis, there are no verification steps, no guidance on what to do if symbol tables don't match, and no feedback loops for when plugins produce unexpected results. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with headers and sections, but it's a monolithic file with no references to supporting documents. The massive example output block could be in a separate file. However, with no bundle files provided, the lack of external references is somewhat expected, and the sections are at least logically ordered. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.