CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-memory-forensics-with-lime-and-volatility

Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

80%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A concise, actionable skill body driven by executable bash commands and a clear step sequence. It loses points for lacking validation checkpoints in the acquisition workflow and for failing to reference the provided bundle files, leaving navigation and depth underdeveloped.

Suggestions

Add explicit validation checkpoints to the workflow, e.g. verify the LiME capture was created and hash it, and confirm each vol3 plugin produced output before moving to the next step.

Link the provided bundle files from the body — e.g. 'Full plugin list and formats: see [api-reference.md](references/api-reference.md)' and 'Automated acquisition/analysis: see [agent.py](scripts/agent.py)' — so the inline examples stay lean and depth is one level deep.

Complete the Python programmatic example (it sets up the context and automagics but never runs a plugin) or drop it in favor of a reference link.

DimensionReasoningScore

Conciseness

The body is lean and code-focused with no explanations of concepts Claude already knows (e.g. it does not define memory forensics or how Volatility works); it assumes competence, fitting the lean-and-efficient anchor rather than the padded level-2 example.

3 / 3

Actionability

Provides copy-paste-ready executable commands ('insmod lime-$(uname -r).ko "path=/evidence/memory.lime format=lime"', 'vol3 -f /evidence/memory.lime linux.pslist') and concrete numbered steps; it is not level 2 because the primary guidance is fully executable rather than pseudocode, though the Python snippet is a partial setup example.

3 / 3

Workflow Clarity

The five 'Key analysis steps' are sequenced, but there are no validation or verification checkpoints for the sensitive acquisition/analysis operations (e.g. verifying the .lime capture, confirming plugin output), so per the batch/sensitive-operations guideline workflow clarity is capped at 2 rather than reaching the explicit-validation anchor at 3.

2 / 3

Progressive Disclosure

The body is organized into clear sections, but bundle files exist (references/api-reference.md, scripts/agent.py) and the body never signals or links to them, and it duplicates vol3 commands that also appear in the reference — fitting 'references present but not clearly signaled; content that should be separate is inline' rather than the well-signaled one-level-deep anchor at 3.

2 / 3

Total

10

/

12

Passed

Description

85%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, concrete, third-person description that answers both what it does and when to use it with an explicit trigger clause. Its main weakness is narrow trigger-term coverage, relying on a single incident-response scenario rather than the varied phrasings a user might actually say.

Suggestions

Broaden the 'Use when...' clause with additional natural triggers such as 'analyzing a Linux memory dump', 'finding hidden processes or injected code in memory', or 'detecting Linux rootkits'.

Add a couple of common synonym phrasings (e.g. 'memory image', 'memory capture', 'RAM acquisition') so the description matches varied ways users phrase the request.

DimensionReasoningScore

Specificity

Lists multiple concrete actions: 'Performs Linux memory acquisition using LiME', 'analysis with Volatility 3 framework', and 'Extracts process lists, network connections, bash history, loaded kernel modules, and injected code' — matching the multiple-specific-actions anchor, not the single-domain anchor at 2.

3 / 3

Completeness

Clearly answers what ('Performs Linux memory acquisition... Extracts process lists...') and when via an explicit 'Use when performing incident response on compromised Linux systems.' clause, satisfying the both-what-and-when anchor; it is not level 2 because the when is explicit rather than implied.

3 / 3

Trigger Term Quality

Includes the natural trigger 'incident response on compromised Linux systems' plus concrete artifact names, but provides only a single trigger scenario and misses common variations a user might say (e.g. 'memory dump analysis', 'find hidden processes', 'detect rootkits'), fitting 'some relevant keywords but missing common variations' rather than the broad synonym coverage of the level-3 example.

2 / 3

Distinctiveness Conflict Risk

The Linux-memory-forensics-with-LiME-and-Volatility niche with incident-response triggers is clearly distinguishable and unlikely to fire for unrelated skills, matching the clear-niche anchor rather than the overlapping level-2 anchor.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.