analyzing-memory-forensics-with-lime-and-volatility
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.
74
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly specifies the tools (LiME, Volatility 3), concrete actions (extracting process lists, network connections, bash history, kernel modules, injected code), and an explicit 'Use when' trigger clause for incident response on compromised Linux systems. It is highly distinctive and uses natural terminology that forensics practitioners would use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: memory acquisition using LiME, analysis with Volatility 3, extracting process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. | 3 / 3 |
Completeness | Clearly answers both what (performs memory acquisition with LiME and analysis with Volatility 3, extracting specific artifacts) and when ('Use when performing incident response on compromised Linux systems') with an explicit trigger clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'memory acquisition', 'LiME', 'Volatility 3', 'incident response', 'compromised Linux systems', 'process lists', 'network connections', 'bash history', 'kernel modules', 'injected code', 'memory images'. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Linux memory forensics, LiME, and Volatility 3 — very unlikely to conflict with other skills. The specific tooling and domain (incident response, memory analysis) create a clear, unique identity. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point for Linux memory forensics with LiME and Volatility 3, including real commands and a basic workflow. However, it is weakened by generic boilerplate sections, incomplete Python code, lack of validation/verification steps critical for forensic workflows, and no progressive disclosure to deeper reference materials. The workflow is particularly lacking for a forensic context where evidence integrity verification is essential.
Suggestions
Add explicit validation checkpoints: verify LiME module loaded successfully (dmesg | grep lime), verify dump file size/integrity (sha256sum, file size check), and validate Volatility can parse the image before running all plugins.
Remove the generic 'When to Use' and 'Prerequisites' boilerplate sections—Claude doesn't need to be told about 'appropriate authorization' or 'familiarity with security operations concepts.'
Complete the Python example with actual execution and output handling, or remove it in favor of the more actionable CLI commands.
Add a step for building the LiME kernel module for the target system (make -C /lib/modules/$(uname -r)/build M=$(pwd) modules) since this is a critical prerequisite that's non-obvious.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler (e.g., 'Familiarity with security operations concepts,' 'Appropriate authorization for any testing activities') that Claude already knows and doesn't need. The core technical content is reasonably lean but surrounded by boilerplate. | 2 / 3 |
Actionability | Provides real commands (insmod, vol3) and a Python snippet, but the Python code is incomplete (no actual execution or output handling), and the LiME command assumes a pre-built module without explaining how to build it. The commands are mostly copy-paste ready but missing key details like building the LiME kernel module for the target system. | 2 / 3 |
Workflow Clarity | The numbered steps list actions but lack any validation checkpoints or error recovery. Memory acquisition is a destructive/one-shot operation where verification is critical (e.g., verifying the dump integrity, checking file size, validating the image before analysis). There are no feedback loops or verification steps, which should cap this at 2 at most, and the steps themselves are vague enough to warrant a 1. | 1 / 3 |
Progressive Disclosure | Content is organized into sections (When to Use, Prerequisites, Instructions, Examples) which provides some structure, but everything is inline in a single file with no references to deeper materials. The Examples section largely duplicates the Instructions section commands. For a skill of this complexity, separating detailed plugin references or advanced analysis techniques into linked files would improve navigation. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.