analyzing-lnk-file-and-jump-list-artifacts
Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies the forensic domain, concrete actions, specific tools, and relevant artifact types. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The trigger terms are excellent for the digital forensics audience.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about LNK files, Windows shortcuts, Jump Lists, recent file access artifacts, or forensic analysis with LECmd/JLECmd.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Analyze Windows LNK shortcut files and Jump List artifacts', 'establish evidence of file access, program execution, and user activity', and names specific tools (LECmd, JLECmd) and techniques (manual binary parsing of Shell Link Binary format). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (analyze LNK/Jump List artifacts using specific tools), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensic analyst would use: 'LNK', 'shortcut files', 'Jump List', 'LECmd', 'JLECmd', 'Shell Link Binary', 'file access', 'program execution', 'user activity'. These are highly specific terms that map well to user queries in digital forensics. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing on Windows LNK shortcut files, Jump List artifacts, and specific forensic tools (LECmd, JLECmd). Very unlikely to conflict with other skills due to the narrow forensic domain and specific artifact types. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, concrete commands and code for LNK/Jump List forensic analysis, which is its primary strength. However, it is significantly over-long and verbose, with extensive reference tables, binary format details, and example output that should be split into separate files. The workflow lacks validation checkpoints, and the overview explains concepts Claude already understands.
Suggestions
Move the LNK binary structure table, AppID hash lookup table, and detailed example output into separate reference files (e.g., LNK_STRUCTURE.md, APPID_REFERENCE.md) and link to them from the main skill.
Remove the explanatory overview paragraph and 'When to Use' boilerplate — Claude already knows what LNK files and Jump Lists are; start directly with locations and tool usage.
Add explicit validation steps to the investigation workflows, such as verifying CSV output row counts, checking for parsing errors in tool output, and confirming timestamp consistency across artifacts.
Trim the example output section to show only one representative LNK entry and one Jump List entry, noting that full examples are available in a companion file.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph explains what LNK files and Jump Lists are at a level Claude already knows. The 'When to Use' section is generic boilerplate. The LNK file structure table, AppID hash table, full binary format offsets, and extensive example output all contribute to significant verbosity. Much of this reference material could be in separate files. | 1 / 3 |
Actionability | The skill provides fully executable PowerShell commands for LECmd and JLECmd with realistic paths and flags, a complete Python script for binary parsing with proper struct unpacking, and concrete investigation procedures. Commands are copy-paste ready with appropriate flags and output options. | 3 / 3 |
Workflow Clarity | The 'Investigation Use Cases' section provides numbered steps for different scenarios, but lacks explicit validation checkpoints or feedback loops. There's no verification step to confirm parsed output is correct or complete, and no error handling guidance for when tools fail or encounter corrupted artifacts. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with everything inline — binary format tables, AppID lookup tables, full Python scripts, extensive example output, and reference material all in one file. The references section links to external URLs but no content is split into companion files for progressive discovery. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.