analyzing-malware-persistence-with-autoruns
Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.
67
60%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-malware-persistence-with-autoruns/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and distinctiveness, clearly naming the tool (Sysinternals Autoruns), the domain (malware persistence), and the specific locations analyzed (registry keys, scheduled tasks, services, drivers, startup locations). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The trigger terms are naturally embedded but would benefit from being called out in a dedicated trigger section.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about malware persistence, autoruns analysis, suspicious startup entries, or investigating Windows persistence mechanisms.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and locations: 'identify and analyze malware persistence mechanisms across registry keys, scheduled tasks, services, drivers, and startup locations on Windows systems.' This is highly specific about what the skill does. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (identify and analyze malware persistence mechanisms across multiple locations using Autoruns), but lacks an explicit 'Use when...' clause or equivalent trigger guidance. Per the rubric, a missing 'Use when...' clause caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Autoruns', 'malware', 'persistence mechanisms', 'registry keys', 'scheduled tasks', 'services', 'drivers', 'startup locations', 'Windows', and 'Sysinternals'. These cover the terms a user investigating malware persistence would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive due to the specific tool (Sysinternals Autoruns), the specific domain (malware persistence analysis), and the specific platform (Windows). This is unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a useful automated scanning script but significantly under-delivers on the capabilities promised in its overview (baseline comparison, VirusTotal integration, offline analysis). The workflow is incomplete with only 'Step 1' present and no validation checkpoints or error recovery, which is problematic for a security forensics procedure. The 'When to Use' section adds no value and several key features are mentioned but never made actionable.
Suggestions
Complete the workflow with explicit steps for baseline creation, baseline comparison/diffing, VirusTotal hash checking, and offline analysis with the -z flag—each with validation checkpoints.
Add validation/feedback loops: e.g., verify scan completed all categories, handle VirusTotal rate limits, confirm baseline file integrity before comparison.
Remove or drastically shorten the 'When to Use' section—it's generic and circular. Claude doesn't need to be told when to use a skill it's been given.
Add concrete CLI examples for autorunsc commands (baseline export, compare mode, offline mode) rather than only describing them in the overview paragraph.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview packs useful technical detail but the 'When to Use' section is generic filler that Claude doesn't need (e.g., 'When investigating security incidents that require analyzing malware persistence with autoruns' is circular). The prerequisites list is reasonable but could be tighter. | 2 / 3 |
Actionability | The Python script is executable and concrete, which is good. However, the skill only covers automated scanning/parsing—it lacks CLI examples for baseline creation, comparison (the -z flag and compare function mentioned in the overview), VirusTotal integration, and offline analysis. Key capabilities described in the overview have no actionable guidance. | 2 / 3 |
Workflow Clarity | Despite being labeled 'Step 1', there is no Step 2 or subsequent steps—the workflow is incomplete. There are no validation checkpoints, no feedback loops for handling suspicious findings, no baseline comparison steps, and no explicit sequence for the multi-step forensic analysis process described in the overview. | 1 / 3 |
Progressive Disclosure | The document has reasonable section structure and external references at the bottom. However, the single large code block could benefit from separation, and the promised capabilities (baseline diffing, VirusTotal integration, offline analysis) are neither covered inline nor pointed to via separate files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.