analyzing-linux-system-artifacts
Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-linux-system-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted description with strong specificity and excellent trigger terms relevant to Linux forensics and incident response. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. Adding trigger guidance would elevate this from good to excellent.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about Linux forensics, incident response, investigating a compromised server, or analyzing system logs for suspicious activity.'
Consider adding file path examples or extensions users might mention, such as '/var/log/auth.log', '/etc/crontab', '.bash_history' to improve trigger matching.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and artifacts: 'auth logs, cron jobs, shell history, and system configuration' with clear purposes 'uncover evidence of compromise or unauthorized activity'. | 3 / 3 |
Completeness | Clearly answers 'what' (examine Linux system artifacts to uncover compromise), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Linux', 'auth logs', 'cron jobs', 'shell history', 'system configuration', 'compromise', 'unauthorized activity'. These are terms a security analyst or incident responder would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Linux system forensics with specific artifact types (auth logs, cron jobs, shell history). Unlikely to conflict with other skills due to the specific focus on Linux incident response and forensic analysis. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable forensic commands and scripts, which is its primary strength. However, it is extremely verbose (~250+ lines) with significant token waste on concept explanations Claude already knows, narrative scenario descriptions, and reference tables that add little value. The lack of validation checkpoints (e.g., verifying forensic image integrity, confirming read-only mount) is a notable gap for a forensic workflow where evidence integrity is critical.
Suggestions
Remove the Key Concepts and Tools tables entirely — Claude already knows what auth.log, SUID bits, and crontab are. This saves ~40 lines of tokens.
Add forensic validation checkpoints: hash verification after mounting the image, confirmation of read-only mount status, and integrity checks after artifact collection.
Move the Common Scenarios section and detailed Python analysis scripts to separate referenced files (e.g., SCENARIOS.md, ANALYSIS_SCRIPTS.md) to reduce the main skill to an overview with navigation.
Remove the Prerequisites section's explanatory items (e.g., 'Understanding of Linux file system hierarchy') — these describe Claude's existing knowledge, not actionable prerequisites.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with extensive repetitive file paths, long bash scripts, and tables explaining concepts Claude already knows (what auth.log is, what SUID bit means, what crontab does). The Key Concepts and Tools tables are largely unnecessary padding. The Common Scenarios section describes things narratively rather than providing actionable guidance. | 1 / 3 |
Actionability | Provides fully executable bash commands and Python scripts that are copy-paste ready. The commands are specific with real paths, flags, and complete logic for parsing passwd/shadow files, analyzing shell history, and checking persistence mechanisms. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (mount → collect → analyze accounts → check persistence → analyze history → check rootkits), but there are no validation checkpoints between steps. For forensic operations involving evidence integrity, there should be hash verification after mounting and before/after collection, yet none are present. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. Everything is inline including lengthy code blocks, reference tables, four detailed scenarios, and an output format template. This could easily be split into separate files for collection scripts, analysis scripts, and scenario playbooks. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.