analyzing-outlook-pst-for-email-forensics
Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-outlook-pst-for-email-forensics/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity, rich trigger terms, and a very distinct niche in email forensics. Its main weakness is the lack of an explicit 'Use when...' clause, which means the trigger conditions are only implied rather than stated. Adding explicit trigger guidance would elevate this from a good to an excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to examine Outlook PST or OST files, recover deleted emails, extract email metadata, or perform email forensic analysis for legal or incident response purposes.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and artifacts: 'message content, headers, attachments, deleted items, and metadata' along with specific tools 'libpff, pst-utils, and forensic email analysis tools' and use cases 'legal investigations and incident response'. | 3 / 3 |
Completeness | The 'what' is thoroughly covered (analyze PST/OST files for various forensic evidence types), but there is no explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied through the mention of 'legal investigations and incident response'. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would use: 'Outlook', 'PST', 'OST', 'email forensic', 'headers', 'attachments', 'deleted items', 'metadata', 'legal investigations', 'incident response'. These are terms professionals in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: Microsoft Outlook PST/OST forensic analysis is very specific and unlikely to conflict with other skills. The combination of file formats (PST, OST), specific tools (libpff, pst-utils), and domain (email forensics) creates a clear, unique identity. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely actionable, executable code for PST forensic analysis with good tool coverage (pffexport CLI and Python pypff). However, it is significantly bloated with unnecessary explanations Claude already knows (PST format details, MAPI background), generic 'When to Use' boilerplate, and an extremely long fabricated example output. The monolithic structure with no progressive disclosure makes it token-inefficient, and the lack of explicit forensic validation steps (evidence hashing, integrity verification) is a notable gap for a forensics-focused skill.
Suggestions
Remove the overview paragraph explaining what PST/OST files are and the 'When to Use' boilerplate—Claude already knows these concepts. Start directly with file locations and tool usage.
Add explicit forensic validation steps: hash the PST file before analysis (SHA-256), verify write-blocker usage, and include a chain-of-custody checkpoint before proceeding with extraction.
Move the large Python class to a separate referenced file (e.g., pst_analyzer.py) and keep only a concise usage example in SKILL.md.
Trim the example output to ~15 lines showing key forensic findings rather than the current 60+ line fabricated scenario.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph explains what PST/OST files are, MAPI, page sizes, and file size limits—all information Claude already knows. The 'When to Use' section is generic boilerplate. The Python class is ~120 lines when a more focused snippet would suffice. The example output section is extremely verbose with fabricated forensic scenarios that pad the content significantly. | 1 / 3 |
Actionability | The skill provides fully executable code: concrete pffexport commands with flags, a complete Python class using pypff with proper imports and a main() entry point, and a clear file locations table. The code is copy-paste ready and covers extraction, attachment saving, and report generation. | 3 / 3 |
Workflow Clarity | While the code itself has a logical flow (open → process folders → extract messages → save attachments → generate report), there is no explicit multi-step forensic workflow with validation checkpoints. For forensic work involving evidence integrity, there are no hash verification steps for the PST file before analysis, no chain-of-custody considerations, and no explicit validate-then-proceed checkpoints. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with everything inline—a large Python class, extensive example output, header reference tables, and file location tables all in one file with no references to supporting files. The 120+ line Python class and 60+ line example output should be in separate referenced files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.