CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-malicious-pdf-with-peepdf

Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is concise and well-structured but loses points on actionability and workflow clarity because it describes steps in prose without inline executable commands or validation checkpoints, and it fails to reference its own bundle files. Adding inline command examples, validation steps, and links to the reference would substantially raise the score.

Suggestions

Add inline executable command examples for the key steps (e.g., `peepdf -f -l malicious.pdf`, `pdfid.py malicious.pdf`) rather than only describing them.

Insert validation checkpoints into the workflow, such as verifying a stream decoded cleanly before deobfuscating its JavaScript.

Explicitly link the bundle files from the body, e.g. 'See [api-reference.md](references/api-reference.md) for the full peepdf command set and [agent.py](scripts/agent.py) for automation.'

DimensionReasoningScore

Conciseness

The body is lean — section headers, bullet lists, and tables with no padding explaining what a PDF is or how the libraries work, assuming Claude's competence so every token earns its place.

3 / 3

Actionability

The workflow names tools and steps but the body itself contains no executable commands or copy-paste code — the runnable peepdf/pdfid/pdf-parser commands live only in the reference file, leaving the body describing rather than instructing.

2 / 3

Workflow Clarity

The seven-step workflow is clearly sequenced, but it involves risky extraction of malicious content with no explicit validation checkpoints or feedback loops (e.g., confirm a stream decoded correctly before deobfuscating), capping clarity at 2 per the rubric's destructive-operations note.

2 / 3

Progressive Disclosure

Content is well-organized and detailed commands are appropriately split into references/api-reference.md and scripts/agent.py, but the body never signals or links to these bundle files, so navigation to the deeper material is missing.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, distinctive, and uses natural domain trigger terms, but it omits any explicit 'when to use' trigger guidance, which caps completeness at 2. Adding a 'Use when...' clause covering phishing PDF triage or PDF exploit analysis would lift the weakest dimension.

Suggestions

Add an explicit 'Use when...' clause, e.g. 'Use when triaging suspicious PDF attachments from phishing emails or analyzing PDF-based exploit documents.'

Broaden trigger terms with common variations users might say, such as 'PDF malware', 'phishing attachment', or 'weaponized PDF'.

Keep the current concise tool list — it already provides strong specificity and distinctiveness.

DimensionReasoningScore

Specificity

Names multiple concrete actions ('Perform static analysis', 'extract embedded JavaScript, shellcode, and suspicious objects') and specific tools (peepdf, pdfid, pdf-parser), matching the 'lists multiple specific concrete actions' anchor.

3 / 3

Completeness

Clearly answers 'what' the skill does but provides no 'Use when...' clause or equivalent explicit trigger guidance for when Claude should invoke it, so completeness is capped at 2 per the rubric guideline.

2 / 3

Trigger Term Quality

Includes natural domain terms a malware analyst would say — 'malicious PDF documents', 'JavaScript', 'shellcode', 'peepdf', 'pdfid', 'pdf-parser' — giving good coverage of trigger language, though it leans slightly technical.

3 / 3

Distinctiveness Conflict Risk

The niche is sharply defined — malicious PDF static analysis with named tooling — making it unlikely to trigger for or conflict with unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.