CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-pdf-malware-with-pdfid

Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode, exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, or suspicious attachment triage.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with concrete commands and runnable scripts arranged in a clear six-step workflow, but it is held back by redundancy (duplicated keyword listings and overlap with the reference file) and by never pointing to its own bundle files. Adding validation checkpoints and cross-referencing the bundles would lift the weaker dimensions.

Suggestions

Link the bundle files from the body (e.g. "See references/api-reference.md for full keyword/CVE tables and tool syntax" and "Use scripts/agent.py for automated triage") instead of duplicating that content inline, and remove the duplicated Step 1 keyword block to tighten conciseness.

Add explicit validation checkpoints to the workflow, e.g. after stream decompression confirm the FlateDecode/ASCII85 result is valid and retry alternate filters, and after Step 5 PE extraction verify the MZ/PE size from the header rather than slicing a fixed 100000 bytes.

Move the detailed risk-assessment tables and CVE/YARA reference material into references/api-reference.md so the SKILL.md body stays a lean overview that points one level deep.

DimensionReasoningScore

Conciseness

Step 1 lists the suspicious keywords twice (bash comments and a separate risk-assessment block) and the body overlaps heavily with references/api-reference.md (keyword/CVE tables, tool syntax), so it is mostly efficient but padded; not 3 because of the duplication, not 1 because the content is technical and largely earned.

2 / 3

Actionability

Provides concrete executable commands (e.g. "pdf-parser --object 5 --filter --raw suspect.pdf", "pdfid -e suspect.pdf") and complete copy-paste Python scripts for JS/PE/URL extraction, matching the fully-executable anchor; not 2 because the code is real rather than pseudocode.

3 / 3

Workflow Clarity

The six-step sequence is clearly ordered but lacks explicit validation/feedback loops, and Step 5's batch PE extraction takes a hardcoded 100000-byte slice with no verification, capping clarity at 2 per the destructive/batch guideline; not 3 because checkpoints are implicit, not 1 because the sequence is explicit.

2 / 3

Progressive Disclosure

Sections are well organized, but the body never signals or links the existing references/api-reference.md or scripts/agent.py while duplicating their content inline, fitting the "references present but not clearly signaled" anchor; not 3 because navigation to the bundles is missing, not 1 because it is sectioned rather than monolithic.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, third-person, and complete, naming concrete actions, tools, and explicit activation triggers with strong natural keyword coverage. It occupies a clear, low-conflict niche and reads as a model skill description.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ("identify embedded JavaScript, shellcode, exploits, and suspicious objects", "Determines the attack vector and extracts embedded payloads") plus named tools, matching the multi-action anchor rather than the single-domain anchor at 2.

3 / 3

Completeness

Clearly states what it does and provides an explicit when clause ("Activates for requests involving..."), satisfying both halves; not 2 because the trigger guidance is explicit rather than implied.

3 / 3

Trigger Term Quality

Explicit natural triggers ("PDF malware analysis, malicious document analysis, PDF exploit investigation, or suspicious attachment triage") are phrasings a security analyst would actually say, giving good coverage rather than just "some relevant keywords" at 2.

3 / 3

Distinctiveness Conflict Risk

A narrow niche (malicious-PDF static analysis with PDFiD/pdf-parser/peepdf) with distinct triggers unlikely to conflict with general PDF skills; not 2 since the scope is tightly bounded to malware analysis.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.