analyzing-outlook-pst-for-email-forensics
Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments, deleted items, and metadata using libpff, pst-utils, and forensic email analysis tools for legal investigations and incident response.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-outlook-pst-for-email-forensics/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies the domain (Outlook email forensics), concrete capabilities (message content, headers, attachments, deleted items, metadata extraction), specific tools (libpff, pst-utils), and use cases (legal investigations, incident response). Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The trigger terms are excellent and naturally match what forensic analysts would say.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to examine Outlook PST or OST files, recover deleted emails, extract email metadata for forensic analysis, or investigate email-based incidents.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and artifacts: 'message content, headers, attachments, deleted items, and metadata' along with specific tools (libpff, pst-utils). Also specifies concrete use cases: 'legal investigations and incident response'. | 3 / 3 |
Completeness | The 'what' is very well covered (analyze PST/OST files for various forensic evidence types using specific tools). However, there is no explicit 'Use when...' clause or equivalent trigger guidance — the when is only implied through the domain context. Per rubric guidelines, this caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a user would say: 'PST', 'OST', 'Outlook', 'email forensic', 'deleted items', 'attachments', 'headers', 'incident response', 'legal investigations'. These are terms a forensic analyst or investigator would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: Microsoft Outlook PST/OST forensic analysis with specific tools (libpff, pst-utils) and specific contexts (legal investigations, incident response). Very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely actionable, executable code and commands for PST forensic analysis, which is its primary strength. However, it is significantly bloated with unnecessary explanations (PST format details, generic 'When to Use' boilerplate), an overly long Python class that could be more focused, and a fabricated example output that consumes substantial tokens without adding proportional value. The lack of an explicit forensic workflow with validation checkpoints (hash verification, chain of custody steps) is a notable gap for a forensics-focused skill.
Suggestions
Remove the overview paragraph explaining what PST/OST files are and the 'When to Use' boilerplate—Claude already knows this context.
Add an explicit numbered forensic workflow with validation checkpoints: hash the PST before analysis, verify export completeness, validate chain of custody documentation.
Trim the example output to 20-30 lines showing key forensic findings rather than the current ~70 lines of fabricated narrative.
Move the full Python class to a separate referenced file and keep only a concise usage snippet in the main SKILL.md.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview paragraph explains what PST/OST files are, MAPI, Unicode vs ANSI formats, and page sizes—all information Claude already knows. The 'When to Use' section is generic boilerplate. The Python class is extremely verbose (~120 lines) when a more focused snippet would suffice. The example output section is massive and largely fabricated narrative rather than actionable guidance. | 1 / 3 |
Actionability | The skill provides fully executable code: concrete pffexport commands with flags, a complete Python class using pypff with proper imports and a main() entry point, and a clear file path reference table. The code is copy-paste ready and covers extraction, attachment saving, and report generation. | 3 / 3 |
Workflow Clarity | While the skill shows individual tools and code, there's no explicit sequenced workflow tying the steps together (e.g., acquire → verify integrity → export → analyze → report). There are no validation checkpoints such as hash verification of the PST before analysis, or integrity checks after extraction—important for forensic work where chain of custody matters. | 2 / 3 |
Progressive Disclosure | The content is largely monolithic—a massive Python class and lengthy example output are inline rather than referenced. The References section links to external resources but there's no internal file splitting or clear navigation structure. The header analysis table and file locations table are well-organized, but the overall document would benefit from splitting the code and examples into separate files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.