analyzing-memory-forensics-with-lime-and-volatility
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.
54
61%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly specifies the tools (LiME, Volatility 3), the concrete actions (extracting process lists, network connections, bash history, kernel modules, injected code), and when to use it (incident response on compromised Linux systems). It uses proper third-person voice and is concise without being vague. The only minor improvement could be adding a few more trigger term variations like 'memory forensics' or 'memory dump'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: memory acquisition using LiME, analysis with Volatility 3, extracting process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. | 3 / 3 |
Completeness | Clearly answers both 'what' (performs memory acquisition with LiME and analysis with Volatility 3, extracts specific artifacts) and 'when' ('Use when performing incident response on compromised Linux systems'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'memory acquisition', 'LiME', 'Volatility 3', 'process lists', 'network connections', 'bash history', 'kernel modules', 'injected code', 'incident response', 'compromised Linux systems'. These cover the domain well. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Linux memory forensics, LiME, and Volatility 3. Very unlikely to conflict with other skills due to the specific tooling and domain (Linux memory acquisition and analysis for incident response). | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a basic overview of LiME + Volatility 3 forensics but suffers from generic filler content (prerequisites, when-to-use bullets) that wastes tokens while lacking the critical validation steps needed for forensic workflows. The CLI commands are useful but the Python snippet is incomplete, and there's no guidance on interpreting results or handling errors during acquisition.
Suggestions
Remove the generic 'When to Use' and 'Prerequisites' sections entirely — they add no value Claude doesn't already know — and use that space for output interpretation examples (e.g., what a suspicious pslist vs psscan discrepancy looks like).
Add explicit validation checkpoints: verify LiME loaded (dmesg | grep lime), verify memory image integrity (file size check, vol3 -f image linux.pslist returns results), and error recovery steps if acquisition fails.
Either complete the Python snippet with actual plugin execution and result handling, or remove it entirely in favor of the more actionable CLI workflow.
Add concrete examples of suspicious findings (e.g., hidden processes found by psscan but not pslist, unknown kernel modules in lsmod) to make the analysis steps truly actionable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is padded with generic SOC/threat-hunting bullets that don't add value. Prerequisites list basic things Claude already knows (Python 3.8+, 'familiarity with security operations'). The programmatic Volatility 3 Python snippet is incomplete and adds little beyond the CLI examples. | 1 / 3 |
Actionability | The bash commands for LiME acquisition and Volatility 3 plugins are concrete and mostly executable. However, the Python snippet is incomplete (no actual execution of plugins), and there's no guidance on interpreting output or what suspicious findings look like. The 'key analysis steps' are a mix of actionable commands and vague direction ('compare with linux.psscan', 'check for rootkits'). | 2 / 3 |
Workflow Clarity | The workflow lacks validation checkpoints entirely. There's no verification that LiME loaded correctly, no check that the memory image is valid before analysis, no guidance on what to do if acquisition fails or if Volatility can't parse the image. For a destructive/forensic operation (memory acquisition on a live system), this is a significant gap. | 1 / 3 |
Progressive Disclosure | The content is organized into sections (When to Use, Prerequisites, Instructions, Examples) which provides some structure. However, there are no references to external files, and the content is somewhat monolithic with redundancy between the Instructions and Examples sections showing similar commands. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
9a588e6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.