CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-malware-persistence-with-autoruns

Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with executable, specific code, but it underuses its own bundle: a full script is inlined and none of the references/scripts/assets are linked from SKILL.md. Workflow structure is also thin, with validation detached from the steps rather than embedded as checkpoints.

Suggestions

Replace the inlined Python with a short usage snippet and point to scripts/agent.py (and references/api-reference.md for the full flag table) so SKILL.md stays a lean overview.

Promote the '## Workflow' beyond a single step and fold the Validation Criteria into explicit checkpoints (e.g. 'verify all ASEP categories scanned' before flagging) with a fix-and-retry feedback loop for the batch scan.

Add a references/navigation section linking the bundle files (workflows.md, standards.md, assets/template.md) so their content is discoverable from the overview.

DimensionReasoningScore

Conciseness

The Overview is dense and free of beginner-concept filler, but a full ~40-line Python script is inlined in SKILL.md when an equivalent scripts/agent.py bundle already exists; this content could be externalized and tightened.

2 / 3

Actionability

The provided Python is fully executable with concrete autorunsc flags ('-a *', '-c', '-h', '-s', '-nobanner') and specific suspicious-path and LOLBin detection lists, making it copy-paste ready.

3 / 3

Workflow Clarity

Only 'Step 1' is labeled for a section titled Workflow, and the Validation Criteria are a detached list rather than integrated checkpoints; for a batch scan operation the rubric caps workflow clarity at 2 when feedback loops are missing.

2 / 3

Progressive Disclosure

Bundle files exist (references/api-reference.md, standards.md, workflows.md, scripts/agent.py, assets/template.md) but none are referenced from the body, and content that belongs in those files (the full script) is inlined; sections are organized but bundle navigation is un-signaled.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, specific description that names concrete actions and natural trigger terms in a clearly distinct niche. Its main weakness is the absence of an explicit 'when to use' clause, which caps the completeness dimension.

Suggestions

Add an explicit trigger clause, e.g. 'Use when investigating Windows malware persistence, hunting autostart/ASEP entries, or validating detection coverage for boot/logon autostart techniques.'

Include common tool-name variations users might say, such as 'autoruns', 'autorunsc', or 'autostart extensibility points (ASEPs)', to broaden trigger coverage.

DimensionReasoningScore

Specificity

The description lists concrete actions ('identify and analyze') against an enumerated set of targets ('registry keys, scheduled tasks, services, drivers, and startup locations'), matching the multiple-specific-actions anchor.

3 / 3

Completeness

It clearly answers 'what' but contains no 'Use when...' or equivalent explicit trigger guidance, so per the rubric guideline a missing trigger clause caps completeness at 2.

2 / 3

Trigger Term Quality

It surfaces natural terms a user would say — 'malware persistence', 'scheduled tasks', 'services', 'drivers', 'startup locations', 'Windows' — giving good coverage of likely user phrasing.

3 / 3

Distinctiveness Conflict Risk

The Autoruns + Windows persistence niche is sharply scoped with distinct triggers, making it unlikely to fire for the wrong skill.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.