analyzing-malware-sandbox-evasion-techniques
Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns from Cuckoo/AnyRun behavioral reports
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-malware-sandbox-evasion-techniques/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies concrete capabilities and uses domain-appropriate terminology that analysts would naturally use. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The specificity and distinctiveness are excellent for a niche malware analysis skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user provides Cuckoo or AnyRun reports and asks about sandbox evasion, anti-analysis techniques, or VM detection in malware samples.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing timing checks, VM artifact queries, user interaction detection, and sleep inflation patterns. Also specifies the input sources (Cuckoo/AnyRun behavioral reports). | 3 / 3 |
Completeness | Clearly answers 'what does this do' (detect sandbox evasion techniques by analyzing specific patterns from specific report types), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a malware analyst would use: 'sandbox evasion', 'malware samples', 'timing checks', 'VM artifact', 'user interaction detection', 'sleep inflation', 'Cuckoo', 'AnyRun', 'behavioral reports'. These are highly specific and natural to the domain. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining sandbox evasion detection, specific evasion technique types, and specific sandbox platforms (Cuckoo/AnyRun). Very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads like a high-level outline or table of contents rather than actionable guidance. It describes what should be done but provides zero executable code, no example JSON report structures, no concrete API call patterns to search for, and no detection rule examples. The content would need substantial additions of concrete, copy-paste-ready code and examples to be useful.
Suggestions
Add executable Python code for parsing Cuckoo/AnyRun JSON reports and extracting evasion indicators (e.g., filtering API calls for GetTickCount, QueryPerformanceCounter, sleep functions)
Include a concrete example of input (sample behavioral report JSON snippet) and expected output (detection result JSON with MITRE mappings and scores)
Add specific detection logic such as thresholds for sleep inflation (e.g., requested vs actual sleep delta > 10x), lists of VM artifact registry keys and MAC prefixes to check, and process name watchlists
Add validation steps: e.g., verify JSON report schema before parsing, validate that API call sequences are non-empty, and include error handling for malformed reports
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph is quite verbose and repeats information that appears again in the Steps section. The 'When to Use' section is generic boilerplate that doesn't add value. However, it's not egregiously padded with explanations of basic concepts. | 2 / 3 |
Actionability | There is no executable code, no concrete commands, no parsing scripts, no example JSON structures, and no detection rule examples. The steps are entirely abstract descriptions of what to do rather than how to do it. 'Parse Cuckoo/AnyRun behavioral report JSON files' gives no concrete guidance. | 1 / 3 |
Workflow Clarity | The 7 steps are a high-level outline with no validation checkpoints, no error handling, no feedback loops, and no concrete details about how to perform each step. There's no guidance on what to do if parsing fails or if results are ambiguous. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with clear section headers (Overview, When to Use, Prerequisites, Steps, Expected Output), but everything is inline with no references to external files for detailed content like example reports, detection scripts, or MITRE mapping tables that would clearly benefit from separate files. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.