analyzing-malicious-pdf-with-peepdf
Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript, shellcode, and suspicious objects.
52
58%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-malicious-pdf-with-peepdf/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies a niche domain (malicious PDF forensics) with concrete tools and actions. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The specificity and tool names provide excellent distinctiveness.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks to analyze suspicious or malicious PDFs, investigate PDF-based malware, or extract embedded payloads from PDF documents.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'static analysis of malicious PDF documents', 'extract embedded JavaScript, shellcode, and suspicious objects', and names specific tools (peepdf, pdfid, pdf-parser). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (static analysis of malicious PDFs, extracting embedded content) but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'malicious PDF', 'static analysis', 'JavaScript', 'shellcode', 'suspicious objects', 'peepdf', 'pdfid', 'pdf-parser'. These are terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: malicious PDF analysis with specific forensic tools. Unlikely to conflict with general PDF processing skills or other security skills due to the specific tool names and malware analysis focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable high-level framework for malicious PDF analysis but critically lacks executable commands and concrete code examples, making it more of a conceptual overview than an actionable skill. The workflow is sequenced but missing validation checkpoints and error recovery paths. The content also includes explanatory tables for concepts Claude likely already understands, consuming tokens without adding proportional value.
Suggestions
Add concrete, executable command examples for each workflow step (e.g., `pdfid.py malicious.pdf`, `peepdf -i malicious.pdf`, `PPDF> object 5`, `PPDF> js_analyse object 5`).
Include a complete worked example showing the full analysis of a sample malicious PDF from triage through IOC extraction, with actual tool output.
Add validation checkpoints to the workflow, such as verifying the file is actually a PDF before analysis, checking if streams decoded successfully, and confirming extracted JavaScript is complete.
Remove or significantly condense the Key Concepts and Tools tables, as Claude already knows these concepts, and replace with tool-specific syntax that Claude would not know (e.g., peepdf interactive commands, pdf-parser flags).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The key concepts table explains PDF-specific terms that Claude likely already knows (e.g., FlateDecode, /OpenAction). The 'When to Use' section is somewhat verbose. The tools table adds marginal value. However, the workflow section is reasonably tight. | 2 / 3 |
Actionability | There are no executable commands or code examples anywhere. The workflow describes steps abstractly ('Open PDF in peepdf interactive mode', 'Dump suspicious streams') without showing actual commands like `peepdf -i malicious.pdf` or `pdfid.py malicious.pdf`. This is vague direction rather than concrete, copy-paste-ready guidance. | 1 / 3 |
Workflow Clarity | The 7-step workflow provides a clear sequence, but lacks validation checkpoints, error handling, or feedback loops. For a security analysis workflow involving potentially dangerous files, there are no safety verification steps or guidance on what to do when extraction fails or when objects are heavily obfuscated. | 2 / 3 |
Progressive Disclosure | The content is organized into logical sections with headers and tables, which is reasonable. However, there are no bundle files and no references to external documents for advanced topics (e.g., JavaScript deobfuscation techniques, shellcode analysis details). The key concepts and tools tables could be in separate reference files, keeping the main skill leaner. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.