analyzing-malware-sandbox-evasion-techniques
Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
66
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-malware-sandbox-evasion-techniques/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies the domain (malware analysis), concrete actions (analyzing timing checks, VM artifacts, user interaction detection, sleep inflation patterns), and input sources (Cuckoo/AnyRun reports). Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze malware behavior reports for anti-analysis or sandbox evasion techniques, or when reviewing Cuckoo/AnyRun output for evasive behaviors.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns. Also specifies the input sources (Cuckoo/AnyRun behavioral reports). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (detect sandbox evasion techniques by analyzing specific patterns from specific report types), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'sandbox evasion', 'malware', 'timing checks', 'VM artifact', 'user interaction detection', 'sleep inflation', 'Cuckoo', 'AnyRun', 'behavioral reports'. These are terms a malware analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche: sandbox evasion detection in malware analysis from specific tools (Cuckoo/AnyRun). Very unlikely to conflict with other skills given the narrow domain and specific technique names. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level task description or project outline than an actionable skill. It names the right concepts (timing checks, VM artifacts, sleep inflation, user interaction detection) but provides zero executable code, no example JSON structures, no concrete detection thresholds, and no sample API call patterns to match against. Claude would need to independently figure out nearly all implementation details.
Suggestions
Add executable Python code for parsing Cuckoo JSON reports and extracting evasion-related API calls (e.g., filtering for GetTickCount, NtDelayExecution, RegOpenKeyEx with specific VM-related key paths)
Include a concrete example of input (snippet of a Cuckoo behavioral report JSON) and expected output (the detection result JSON with MITRE mappings and evidence)
Define specific detection thresholds and criteria, e.g., sleep inflation ratio > 10x flags as evasive, specific registry paths like 'HKLM\SOFTWARE\VMware, Inc.' to check, MAC prefix '00:0C:29' for VMware
Remove the generic 'When to Use' section and replace with a concrete quick-start example showing end-to-end analysis of a sample report
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph is dense but contains some redundancy with the steps section (e.g., listing the same techniques twice). The 'When to Use' section is generic boilerplate that doesn't add value for Claude. Could be tightened significantly. | 2 / 3 |
Actionability | No executable code, no concrete commands, no specific examples of what API calls to look for, no parsing code, no detection rule examples. The steps are entirely abstract descriptions of what to do rather than how to do it. 'Parse Cuckoo/AnyRun behavioral report JSON files' gives no concrete guidance on structure or implementation. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence, but there are no validation checkpoints, no error handling, no feedback loops, and no concrete details about what constitutes a positive detection at each step. The scoring step (step 6) has no criteria defined. | 2 / 3 |
Progressive Disclosure | Content is organized with clear sections (Overview, When to Use, Prerequisites, Steps, Expected Output), but everything is inline with no references to external files for detailed content like detection rules, example reports, or MITRE mapping tables that would benefit from separate files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.