analyzing-malware-sandbox-evasion-techniques
Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
44
45%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-malware-sandbox-evasion-techniques/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies the domain (malware analysis), concrete capabilities (detecting sandbox evasion via timing checks, VM artifacts, user interaction, sleep inflation), and input formats (Cuckoo/AnyRun reports). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze malware behavior reports for evasion techniques, or mentions sandbox detection, anti-analysis, or anti-VM behavior.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns. Also specifies the input sources (Cuckoo/AnyRun behavioral reports). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (detect sandbox evasion techniques by analyzing specific patterns from specific report types), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a malware analyst would use: 'sandbox evasion', 'malware samples', 'timing checks', 'VM artifact', 'user interaction detection', 'sleep inflation', 'Cuckoo', 'AnyRun', 'behavioral reports'. These are highly specific and natural to the domain. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining sandbox evasion detection, specific evasion technique types, and specific sandbox platforms (Cuckoo/AnyRun). Very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level outline or abstract rather than actionable guidance. It describes what should be done without providing any concrete implementation—no code, no detection patterns, no example JSON structures, no specific registry keys or MAC prefixes to check. Claude already knows what sandbox evasion is and what T1497 covers; the skill needs to provide the specific parsing logic, detection heuristics, and scoring algorithms that would make it useful.
Suggestions
Add executable Python code for parsing Cuckoo/AnyRun JSON reports, including specific JSON paths to extract (e.g., `report['behavior']['apistats']`, `report['behavior']['processes']`)
Provide concrete detection patterns: specific registry key paths (e.g., `HKLM\SOFTWARE\VMware, Inc.\VMware Tools`), MAC address prefixes (e.g., `00:0C:29`, `00:50:56`), process names, and API call sequences with example matching logic
Include a sample expected output JSON schema showing the evasion report structure, sophistication scoring formula, and MITRE sub-technique mappings (T1497.001, .002, .003)
Add a sleep inflation detection algorithm with concrete thresholds (e.g., comparing NtDelayExecution requested duration vs wall-clock elapsed time with a specific ratio threshold)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview is a dense wall of text restating concepts Claude already knows (what sandbox evasion is, MITRE ATT&CK T1497 definition). The 'When to Use' section is generic boilerplate that adds no actionable value. Much of the content describes rather than instructs. | 1 / 3 |
Actionability | No executable code, no concrete commands, no specific examples of parsing logic or detection rules. Steps are entirely abstract descriptions ('Parse Cuckoo/AnyRun behavioral report JSON files') with no actual implementation. There's no code to copy-paste, no regex patterns, no JSON schema, no sample API call sequences to match against. | 1 / 3 |
Workflow Clarity | Steps are listed but lack any specificity—no validation checkpoints, no error handling, no feedback loops. There's no guidance on what constitutes a detection threshold, how to handle ambiguous results, or what to do when parsing fails. The workflow reads like a table of contents rather than an actionable procedure. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with clear section headers (Overview, When to Use, Prerequisites, Steps, Expected Output), but everything is inline with no references to supporting files. Given there are no bundle files, this is acceptable structure, but the content that is present is too shallow to benefit from the organization. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.