analyzing-lnk-file-and-jump-list-artifacts
Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description targeting a clear forensic analysis niche with concrete actions, specific tools, and domain-appropriate terminology. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about LNK files, Windows shortcuts, Jump Lists, recent file access artifacts, or forensic evidence of program execution.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Analyze Windows LNK shortcut files and Jump List artifacts', 'establish evidence of file access, program execution, and user activity', and names specific tools (LECmd, JLECmd) and methods (manual binary parsing of Shell Link Binary format). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (analyze LNK/Jump List artifacts using specific tools), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes highly specific natural keywords a forensic analyst would use: 'LNK', 'shortcut files', 'Jump List', 'LECmd', 'JLECmd', 'Shell Link Binary', 'file access', 'program execution', 'user activity'. These are the exact terms someone working in digital forensics would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely niche domain — Windows forensic artifact analysis of LNK and Jump List files with named tools. Very unlikely to conflict with any other skill given the highly specialized terminology and scope. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable guidance with real tool commands and a working Python parser, which is its primary strength. However, it is significantly bloated with reference tables, conceptual explanations Claude doesn't need, and verbose example output that should be in separate files. The workflow lacks validation checkpoints and the entire content is monolithic despite being well over 200 lines.
Suggestions
Remove or drastically shorten the Overview paragraph and 'When to Use' section — Claude knows what LNK files are and doesn't need generic use-case descriptions.
Move the LNK binary structure table, AppID hash lookup table, and the full Python parsing script into separate referenced files (e.g., LNK_STRUCTURE.md, APPID_REFERENCE.md, parse_lnk.py) to reduce the main skill to an actionable overview.
Add explicit validation steps to the workflow, such as verifying LECmd/JLECmd output for parsing errors, checking CSV row counts, and cross-referencing LNK timestamps against other artifacts before drawing conclusions.
Trim the example output section significantly — a single concise example showing key forensic fields would suffice instead of the current ~60 lines of simulated output.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph explains what LNK files and Jump Lists are at a conceptual level that Claude already knows. The 'When to Use' section is generic boilerplate. The LNK file structure table, AppID hash table, and extensive example output add significant bulk. Much of this is reference material that could be in separate files or omitted entirely. | 1 / 3 |
Actionability | The skill provides fully executable PowerShell commands for LECmd and JLECmd with specific flags and paths, a complete Python script for binary parsing with proper struct unpacking, and concrete investigation procedures. Commands are copy-paste ready with realistic parameters. | 3 / 3 |
Workflow Clarity | The 'Investigation Use Cases' section provides numbered steps for different scenarios, but lacks explicit validation checkpoints or feedback loops. There's no verification step after parsing (e.g., checking for parsing errors, validating output completeness), and the overall analysis workflow isn't sequenced as a coherent end-to-end process. | 2 / 3 |
Progressive Disclosure | This is a monolithic document with everything inline — binary format tables, AppID lookup tables, full Python scripts, extensive example output, and reference material all in one file with no bundle files to offload to. The AppID table and LNK structure details would be better as separate reference files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.