analyzing-memory-forensics-with-lime-and-volatility
Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.
74
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-memory-forensics-with-lime-and-volatility/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly specifies the tools (LiME, Volatility 3), the concrete actions (extracting process lists, network connections, bash history, kernel modules, injected code), and when to use it (incident response on compromised Linux systems). It is concise, uses third person voice, and contains highly distinctive trigger terms that minimize conflict risk.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: memory acquisition using LiME, analysis with Volatility 3, extracting process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. | 3 / 3 |
Completeness | Clearly answers both 'what' (memory acquisition with LiME, analysis with Volatility 3, extracting specific artifacts) and 'when' ('Use when performing incident response on compromised Linux systems'). The explicit 'Use when' clause is present. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'memory acquisition', 'LiME', 'Volatility 3', 'incident response', 'compromised Linux systems', 'process lists', 'network connections', 'bash history', 'kernel modules', 'injected code', 'memory images'. These cover both tool-specific and task-specific terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Linux memory forensics using specific tools (LiME, Volatility 3). The combination of Linux, memory acquisition, and incident response creates a very specific trigger profile unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable starting point for Linux memory forensics with LiME and Volatility 3, including real commands and a basic workflow. However, it suffers from generic boilerplate sections, lacks validation/verification steps critical for forensic operations (e.g., verifying memory dump integrity), and the Python example is incomplete. The workflow needs explicit checkpoints given the sensitive nature of forensic evidence handling.
Suggestions
Add validation checkpoints: verify LiME module loaded successfully (dmesg | grep lime), verify dump file integrity (sha256sum), and verify Volatility can parse the image before proceeding to analysis.
Remove generic boilerplate in 'When to Use' and 'Prerequisites' sections—replace with specific requirements like 'LiME kernel module compiled for target kernel version' and 'Volatility 3 installed with Linux symbol tables'.
Complete the Python example with actual execution and output handling, or remove it in favor of the more actionable CLI commands.
Add error recovery guidance: what to do if LiME fails to load (kernel version mismatch), if Volatility lacks symbol tables for the target kernel, or if the memory image appears corrupted.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler (e.g., 'Familiarity with security operations concepts and tools', 'Appropriate authorization for any testing activities') that Claude already knows and doesn't need. The core technical content is reasonably lean but surrounded by boilerplate. | 2 / 3 |
Actionability | Provides real commands (insmod, vol3) and a Python snippet, but the Python code is incomplete (no actual execution or output handling), and the LiME command assumes the module is pre-built without showing how to build it. The commands are mostly copy-paste ready but missing key details like building the LiME kernel module or installing Volatility 3. | 2 / 3 |
Workflow Clarity | The numbered steps list actions but lack any validation checkpoints or error recovery. Memory acquisition is a destructive/one-shot operation and there's no verification that the dump succeeded (e.g., checking file size, hash integrity). There's no guidance on what to do if LiME fails to load or if Volatility can't parse the image. The workflow is a flat list without feedback loops. | 1 / 3 |
Progressive Disclosure | Content is organized into sections (When to Use, Prerequisites, Instructions, Examples) which provides some structure, but everything is inline in a single file with no references to deeper materials. The Examples section largely duplicates the Instructions section commands, and there's no separation of basic vs. advanced analysis techniques. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.