analyzing-linux-system-artifacts
Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-linux-system-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted description with strong specificity and excellent trigger terms relevant to Linux forensics and incident response. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. Adding trigger guidance would elevate this from good to excellent.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about Linux forensics, incident response, investigating a compromised server, or analyzing system logs for suspicious activity.'
Consider adding file path examples or common variations like '/var/log/auth.log', 'syslog', '.bash_history', or 'crontab' to improve trigger term coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and artifacts: 'auth logs, cron jobs, shell history, and system configuration' with clear purposes 'uncover evidence of compromise or unauthorized activity'. | 3 / 3 |
Completeness | Clearly answers 'what' (examine Linux system artifacts to uncover compromise evidence) but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Linux', 'auth logs', 'cron jobs', 'shell history', 'system configuration', 'compromise', 'unauthorized activity'. These are terms a security analyst or incident responder would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Linux system forensics with specific artifact types (auth logs, cron jobs, shell history). Unlikely to conflict with other skills due to the specific focus on Linux incident response and forensic analysis. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable forensic commands and scripts for Linux artifact analysis, which is its primary strength. However, it is excessively verbose — the reference tables, scenario descriptions, and concept explanations bloat the token budget with information Claude already possesses. The lack of validation checkpoints in a forensic workflow (where evidence integrity is paramount) and the monolithic structure significantly reduce its effectiveness.
Suggestions
Remove the Key Concepts and Tools & Systems tables entirely — Claude already knows what auth.log, SUID bits, and chkrootkit are.
Move the Common Scenarios section to a separate SCENARIOS.md file and reference it from the main skill.
Add explicit validation checkpoints: verify mount success (check mount output/return code), verify artifact collection completeness (file counts/checksums), and validate forensic image integrity before and after analysis.
Condense the artifact collection step by using arrays/loops instead of listing every individual cp command — this would cut Step 1 by ~50% while remaining equally actionable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what auth.log is, what SUID bits are, what LD_PRELOAD does), includes lengthy reference tables of well-known tools, and describes common scenarios in paragraph form that add little actionable value. The Key Concepts and Tools tables are largely unnecessary for Claude. | 1 / 3 |
Actionability | The skill provides fully executable bash commands and Python scripts throughout. Commands are copy-paste ready with specific file paths, flags, and complete logic for parsing passwd/shadow files, analyzing shell history with pattern matching, and collecting artifacts systematically. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered (mount → analyze accounts → check persistence → shell history → rootkits). However, there are no explicit validation checkpoints or feedback loops — for instance, no verification that the mount succeeded, no integrity checks on collected artifacts, and no error recovery guidance for forensic operations where data integrity is critical. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files and no separation of concerns. The Key Concepts table, Tools table, Common Scenarios section, and detailed code blocks could all be split into separate reference files. Everything is inlined in a single massive document with no navigation aids. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.