analyzing-malware-sandbox-evasion-techniques
Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
63
55%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-malware-sandbox-evasion-techniques/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies the domain (malware sandbox evasion analysis) and lists concrete techniques and tools. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The trigger terms are excellent and naturally align with how a malware analyst would phrase requests.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze malware behavior reports for evasion techniques, or mentions Cuckoo/AnyRun sandbox logs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns. Also specifies the input sources (Cuckoo/AnyRun behavioral reports). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (detect sandbox evasion techniques by analyzing specific patterns from specific report types), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a user would say: 'sandbox evasion', 'malware', 'timing checks', 'VM artifact', 'user interaction detection', 'sleep inflation', 'Cuckoo', 'AnyRun', 'behavioral reports'. These cover the domain well with both general and specific terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche: sandbox evasion detection in malware analysis from specific tools (Cuckoo/AnyRun). Very unlikely to conflict with other skills given the narrow domain and specific trigger terms. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level task description or ticket summary than actionable guidance for Claude. It lacks any concrete code examples, specific detection thresholds, actual API call patterns to match, or sample report structures. The content describes what to do at a conceptual level but never shows how, making it essentially unusable as a skill.
Suggestions
Add executable Python code for parsing Cuckoo JSON reports and extracting evasion-related API calls (e.g., filtering for GetTickCount, NtDelayExecution, RegOpenKeyEx with specific VM-related key paths)
Include concrete detection criteria: specific registry keys (e.g., HKLM\SOFTWARE\VMware), MAC address prefixes (e.g., 00:0C:29, 00:50:56), process names, disk size thresholds, and sleep inflation ratios
Provide a sample input JSON snippet and corresponding expected output JSON to make the 'Expected Output' section actionable
Add validation steps such as verifying the report format before parsing, cross-referencing detected techniques against known false-positive patterns, and a decision tree for escalation based on evasion sophistication score
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph is dense but contains some redundancy with the steps section (e.g., listing the same techniques twice). The 'When to Use' section is generic boilerplate that doesn't add value for Claude. However, it's not excessively verbose overall. | 2 / 3 |
Actionability | The skill provides no executable code, no concrete commands, no parsing examples, and no detection rule snippets. Steps are entirely abstract descriptions ('Parse Cuckoo/AnyRun behavioral report JSON files') without showing how to actually do any of it. No specific registry keys, MAC prefixes, or threshold values are provided despite being mentioned. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence, but there are no validation checkpoints, no error handling, no feedback loops, and no concrete criteria for decisions (e.g., what score threshold triggers escalation, what constitutes 'sleep inflation'). For a multi-step analysis workflow, the lack of validation caps this at 2. | 2 / 3 |
Progressive Disclosure | All content is in a single flat file with no references to external resources, example reports, detection rule files, or detailed technique catalogs. The content that exists is shallow, and there's no structure pointing to deeper materials. For a topic this complex, the lack of any layered organization is a significant weakness. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
77d5d9d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.