analyzing-malicious-pdf-with-peepdf
Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
66
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-malicious-pdf-with-peepdf/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies a niche domain (malicious PDF forensic analysis) with concrete tools and actions. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical specificity and tool names make it highly distinctive.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks to analyze suspicious or malicious PDFs, perform PDF forensics, detect embedded exploits, or mentions tools like peepdf, pdfid, or pdf-parser.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'static analysis of malicious PDF documents', 'extract embedded JavaScript, shellcode, and suspicious objects', and names specific tools (peepdf, pdfid, pdf-parser). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (static analysis of malicious PDFs, extract JS/shellcode/suspicious objects using specific tools), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'malicious PDF', 'static analysis', 'peepdf', 'pdfid', 'pdf-parser', 'JavaScript', 'shellcode', 'suspicious objects'. These are terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: malicious PDF analysis with specific forensic/security tools. Very unlikely to conflict with general PDF processing skills or other security skills due to the specific tool names and malware analysis focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable high-level framework for malicious PDF analysis but critically lacks any executable commands or concrete code examples, making it more of a conceptual overview than an actionable skill. The workflow sequence is logical but needs validation steps and actual tool invocations (e.g., `peepdf -i malicious.pdf`, `pdfid.py -e malicious.pdf`) to be useful. The explanatory tables consume tokens on concepts Claude likely already understands.
Suggestions
Add concrete, executable command examples for each workflow step (e.g., `pdfid.py malicious.pdf`, `peepdf -i malicious.pdf`, then interactive commands like `object 5`, `js_analyse`, `stream 5 > extracted.js`)
Include a complete worked example showing actual peepdf interactive session output with a suspicious object extraction and JS deobfuscation
Add validation checkpoints to the workflow, such as verifying pdfid output before proceeding, confirming stream extraction succeeded, and checking decoded JS for completeness
Remove or significantly condense the Key Concepts and Tools tables, as Claude already knows these concepts, and replace with actionable command references
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The key concepts table explains PDF-specific terms that Claude likely already knows (e.g., FlateDecode, /OpenAction). The tools table is somewhat redundant given the prerequisites section. However, the workflow and output format sections are reasonably tight. | 2 / 3 |
Actionability | The skill provides no executable commands or code examples. There are no actual peepdf commands, no pdfid.py invocations, no pdf-parser.py usage examples. The workflow is entirely descriptive ('Scan PDF for suspicious keywords', 'Open PDF in peepdf interactive mode') without showing how to do any of it. | 1 / 3 |
Workflow Clarity | The 7-step workflow provides a clear sequence for the analysis process, but it lacks validation checkpoints and feedback loops. There's no guidance on what to do if steps fail, no verification that extraction was successful, and no error recovery for common issues like corrupted streams or encrypted PDFs. | 2 / 3 |
Progressive Disclosure | The content is organized into logical sections with headers and tables, but everything is inline in a single file with no references to external resources for deeper topics. The key concepts and tools tables could be separate references, and advanced topics like JS deobfuscation or shellcode analysis warrant their own linked documents. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.