analyzing-outlook-pst-for-email-forensics
Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-outlook-pst-for-email-forensics/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies the domain (Outlook PST/OST forensic analysis), concrete capabilities (message content, headers, attachments, deleted items, metadata extraction), specific tools, and use cases. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The description is well-written in third person and avoids vague language.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to examine PST or OST files, perform email forensics, recover deleted emails, or analyze Outlook mailbox data for investigations.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and artifacts: 'message content, headers, attachments, deleted items, and metadata' along with specific tools ('libpff, pst-utils, and forensic email analysis tools') and use cases ('legal investigations and incident response'). | 3 / 3 |
Completeness | The 'what' is very well covered (analyze PST/OST files for forensic evidence including specific data types). However, there is no explicit 'Use when...' clause or equivalent trigger guidance — the when is only implied through the mention of 'legal investigations and incident response'. Per rubric guidelines, missing explicit trigger guidance caps this at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'PST', 'OST', 'Outlook', 'email forensic', 'headers', 'attachments', 'deleted items', 'metadata', 'legal investigations', 'incident response'. These are terms a forensic analyst or investigator would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: Microsoft Outlook PST/OST forensic analysis with specific tools (libpff, pst-utils). This is unlikely to conflict with general email skills, document analysis skills, or other forensic skills due to the very specific file formats and tooling mentioned. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely useful, executable code for PST forensic analysis with good tool coverage (pffexport CLI and Python pypff). However, it is significantly bloated with explanatory content Claude doesn't need (PST format background, generic 'When to Use' boilerplate), an overly long fabricated example output, and lacks the structured forensic workflow with validation checkpoints that this domain demands. The content would benefit greatly from trimming and restructuring.
Suggestions
Remove the overview paragraph explaining what PST/OST files are and the 'When to Use' boilerplate section—Claude already knows these concepts.
Add an explicit numbered forensic workflow with validation checkpoints: hash the source PST first, verify extraction counts, validate attachment integrity, and include error recovery steps.
Move the large Python class to a separate referenced file (e.g., pst_analyzer.py) and keep only a concise usage example in SKILL.md.
Trim the example output section to ~20 lines showing key forensic findings rather than the current ~60+ lines of fabricated scenario data.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph explains what PST/OST files are, MAPI, page sizes, and file size limits—all information Claude already knows. The 'When to Use' section is generic boilerplate. The Python class is ~120 lines when a more focused snippet would suffice. The example output section is extremely long with fabricated forensic scenarios that add bulk without teaching actionable technique. | 1 / 3 |
Actionability | The skill provides fully executable code: concrete pffexport commands with flags, a complete Python class using pypff with proper imports and a main() entry point, and a clear file location table. The code is copy-paste ready and covers extraction, attachment saving, and report generation. | 3 / 3 |
Workflow Clarity | While the skill shows individual tools and code, it lacks an explicit sequenced workflow with validation checkpoints. There's no clear 'first do X, then validate Y, then proceed to Z' structure. For forensic work involving evidence integrity, there are no hash verification steps on the source PST before analysis, no chain-of-custody validation, and no error recovery feedback loops. | 2 / 3 |
Progressive Disclosure | Everything is in a single monolithic file with no references to supporting files. The massive Python class and lengthy example output could be split into separate files. The References section links to external URLs but there's no bundle structure to organize the content. Over 200 lines of code and example output are inline. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.