CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-lnk-file-and-jump-list-artifacts

Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

Highly actionable with executable tooling and code, but it is padded with background concepts and time-sensitive claims, lacks validation checkpoints in its batch workflow, and fails to navigate to its own bundle files.

Suggestions

Replace the Overview's background prose with a one-line purpose statement and move detail to references/; place 'IEEE 2025' / Windows 11 notes and tool version numbers in a clearly labeled 'Current as of / deprecated' section.

Add validation checkpoints to the parsing workflow (e.g. verify HeaderSize == 0x4C, reject files < 76 bytes, confirm CLSID before extracting timestamps).

Link the existing bundle files from the body — point to references/api-reference.md for command syntax/AppIDs, references/workflows.md for the investigation flows, scripts/agent.py for the parser, and assets/template.md for the report — instead of duplicating that content inline.

DimensionReasoningScore

Conciseness

Mostly efficient with concrete tables and commands, but the Overview explains concepts Claude already knows ('LNK files are created automatically when a user opens a file...') and time-sensitive claims ('Recent research (IEEE 2025)') and tool version numbers ('LECmd v1.11.0') appear outside any deprecated/old-patterns section.

2 / 3

Actionability

Provides fully executable PowerShell invocations for LECmd/JLECmd and a complete, copy-paste-ready Python struct-based header parser with real offsets, matching the executable-code anchor.

3 / 3

Workflow Clarity

The 'Investigation Use Cases' list sequenced steps and the parsing is a batch operation, but no validation or verification checkpoints are given (e.g. confirm header signature, sanity-check parsed timestamps), capping workflow clarity at 2 per the batch-operations guideline.

2 / 3

Progressive Disclosure

A well-structured bundle exists (references/, scripts/, assets/), but the body never signals or links to any of those files, and content that belongs in references — API syntax, AppID tables, workflows — is duplicated inline, fitting the 'content that should be separate is inline' anchor.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, third-person description with strong trigger terms and a clear niche, but it omits an explicit 'Use when...' trigger clause, capping completeness at 2.

Suggestions

Add an explicit 'Use when...' clause, e.g. 'Use when investigating Windows user activity via LNK files or Jump Lists, or when parsing Shell Link binary artifacts.'

Include common variant phrasages users might say (e.g. 'recent files', 'shortcut files', 'AutomaticDestinations') to broaden trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('Analyze Windows LNK shortcut files and Jump List artifacts', 'establish evidence of file access, program execution, and user activity') backed by named tools (LECmd, JLECmd) and 'manual binary parsing of the Shell Link Binary format', matching the multiple-specific-actions anchor.

3 / 3

Completeness

It clearly answers 'what' but contains no 'Use when...' clause or equivalent explicit trigger guidance, so per the judging guidelines completeness is capped at 2 rather than 3.

2 / 3

Trigger Term Quality

Covers natural terms a forensic analyst would actually say — 'LNK shortcut files', 'Jump List artifacts', 'file access', 'program execution', 'user activity' — alongside the tool names, giving good coverage of likely trigger phrasing.

3 / 3

Distinctiveness Conflict Risk

The LNK/Jump List forensic niche with named EZ tools and the Shell Link Binary format is highly specific and unlikely to trigger for unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.