analyzing-lnk-file-and-jump-list-artifacts
Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution, and user activity using LECmd, JLECmd, and manual binary parsing of the Shell Link Binary format.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-lnk-file-and-jump-list-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description for a digital forensics skill with excellent domain terminology and tool references. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The specificity and distinctiveness are excellent, making it unlikely to conflict with other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about LNK files, Windows shortcuts, Jump Lists, recent file access artifacts, or forensic analysis using LECmd or JLECmd.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Analyze Windows LNK shortcut files and Jump List artifacts', 'establish evidence of file access, program execution, and user activity', and names specific tools (LECmd, JLECmd) and techniques (manual binary parsing of Shell Link Binary format). | 3 / 3 |
Completeness | The 'what' is clearly answered with specific capabilities and tools, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The 'when' is only implied by the domain context. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensic analyst would use: 'LNK', 'shortcut files', 'Jump List', 'LECmd', 'JLECmd', 'Shell Link Binary', 'file access', 'program execution', 'user activity'. These are highly specific terms that match how users in digital forensics would phrase requests. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely distinct niche — Windows LNK files, Jump Lists, LECmd/JLECmd, and Shell Link Binary format are highly specific forensic artifact types unlikely to overlap with any other skill. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable content with executable commands and a working Python parser, which is its primary strength. However, it is significantly over-long and monolithic, mixing reference tables, code, structural documentation, and example output all in one file without progressive disclosure. The workflow sections lack explicit validation steps and sequenced procedures, reading more as checklists than guided forensic workflows.
Suggestions
Move the LNK file structure table, AppID hash table, and Python parsing script into separate referenced files (e.g., LNK_STRUCTURE.md, APPID_REFERENCE.md, SCRIPTS.md) and link to them from the main skill.
Remove the introductory paragraph explaining what LNK files and Jump Lists are, and eliminate the generic 'When to Use' section — Claude already knows these concepts.
Add explicit validation checkpoints to the investigation workflows, e.g., 'Verify LECmd output contains expected fields before proceeding to cross-reference' and error-handling guidance when parsing fails.
Trim the example output section significantly — a single concise example showing key forensic fields would suffice instead of the extensive multi-tool output block.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The opening paragraph explains what LNK files and Jump Lists are at a conceptual level that Claude already knows. The 'When to Use' section is generic boilerplate. The LNK file structure table, AppID hash table, and extensive example output add significant bulk. Much of this is reference material that could be in separate files rather than inline. | 1 / 3 |
Actionability | The skill provides fully executable PowerShell commands for LECmd and JLECmd with specific flags and paths, a complete Python script for binary parsing with proper struct unpacking, and concrete file paths for artifact locations. Commands are copy-paste ready with realistic parameters. | 3 / 3 |
Workflow Clarity | The 'Investigation Use Cases' section lists steps but lacks explicit validation checkpoints or feedback loops. There's no clear sequenced workflow for a full investigation (e.g., 'parse → validate output → cross-reference → document findings'). The steps under each use case are more like notes than a structured procedure with verification. | 2 / 3 |
Progressive Disclosure | This is a monolithic document with everything inline — binary format tables, AppID hash lookups, full Python scripts, extensive example output, and reference links all in one file. The LNK structure table, AppID hash table, and Python script should be in separate referenced files. No content is split or signposted for navigation. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.