analyzing-linux-system-artifacts
Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-linux-system-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and distinctive focus on Linux forensic analysis. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The natural trigger terms are well-chosen for the security/forensics domain.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when investigating a potential Linux system breach, performing incident response, or analyzing suspicious system activity on Linux hosts.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete artifacts and actions: 'auth logs, cron jobs, shell history, and system configuration' with clear purpose 'uncover evidence of compromise or unauthorized activity'. | 3 / 3 |
Completeness | Clearly answers 'what' (examine Linux system artifacts to uncover compromise evidence) but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Linux', 'auth logs', 'cron jobs', 'shell history', 'system configuration', 'compromise', 'unauthorized activity'. These are terms a security analyst or incident responder would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Linux forensics with specific artifact types (auth logs, cron jobs, shell history). Unlikely to conflict with other skills due to the specific focus on Linux system compromise investigation. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable forensic commands and scripts, which is its primary strength. However, it is excessively verbose — explaining basic Linux concepts Claude already knows, including lengthy reference tables, and providing descriptive scenario prose that doesn't add actionable value. The monolithic structure with no progressive disclosure and the lack of validation checkpoints in a forensic workflow (where evidence integrity is paramount) are notable weaknesses.
Suggestions
Remove the Key Concepts table, Tools & Systems table, and Prerequisites section — Claude already knows what auth.log, SUID bits, and chkrootkit are. This would cut ~40% of token usage.
Move Common Scenarios and the Output Format example into separate reference files (e.g., SCENARIOS.md, OUTPUT_TEMPLATE.md) and link to them from the main skill.
Add explicit validation checkpoints: verify mount succeeded (check mount output), verify collected files exist and are non-empty before analysis, and validate forensic image integrity (hash check) before and after operations.
Condense the collection step by using arrays/loops instead of listing every individual cp command — the pattern is repetitive and could be expressed more efficiently.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~250+ lines. The Key Concepts table explains things Claude already knows (what auth.log is, what SUID bit means, what .bash_history is). The Tools & Systems table describes well-known tools. The Common Scenarios section is descriptive prose rather than actionable guidance. The Prerequisites section explains basic Linux concepts Claude already understands. | 1 / 3 |
Actionability | The skill provides fully executable bash commands and Python scripts throughout all workflow steps. Commands are copy-paste ready with specific file paths, flags, and complete logic for parsing passwd/shadow files, analyzing shell history, and checking persistence mechanisms. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and covers collection through analysis. However, there are no explicit validation checkpoints or feedback loops — no verification that the mount succeeded, no checks that collected files are intact, no guidance on what to do if artifacts are missing or corrupted. For forensic operations where evidence integrity is critical, this is a significant gap. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. The Key Concepts table, Tools & Systems table, and Common Scenarios sections add significant bulk that could be split into reference files. No bundle files exist to offload this content, and no attempt is made to organize into overview vs. detailed reference material. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.