analyzing-pdf-malware-with-pdfid

Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode, exploits, and suspicious objects without opening the document. Determines the attack vector and extracts embedded payloads for further analysis. Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, or suspicious attachment triage.

Quality

71%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/analyzing-pdf-malware-with-pdfid/SKILL.md

Quality

Content

42%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill provides highly actionable, executable guidance for PDF malware analysis with real commands and scripts, which is its primary strength. However, it is severely bloated with explanatory content Claude doesn't need (glossary tables, tool descriptions, concept definitions), lacks validation checkpoints in its workflow for what are inherently risky forensic operations, and dumps everything into a single monolithic file rather than using progressive disclosure to manage complexity.

Suggestions

Remove the Key Concepts table and Tools & Systems section entirely — Claude already knows what PDF objects, FlateDecode, and shellcode are, and tool descriptions add no actionable value.

Move the Common Scenarios section and Output Format template to separate referenced files (e.g., SCENARIOS.md, REPORT_TEMPLATE.md) to reduce the main skill's token footprint.

Add explicit validation checkpoints between steps — e.g., 'Verify PDFiD output shows suspicious indicators before proceeding to Step 2' and 'Confirm stream decompression succeeded (non-empty output) before analyzing JavaScript.'

Trim the PDFiD risk assessment block — the inline comments in the bash command already explain each keyword; the separate formatted table is redundant.

Dimension	Reasoning	Score
Conciseness	The skill is extremely verbose at ~300+ lines. It explains concepts Claude already knows (what a PDF Object is, what FlateDecode is, what OpenAction means), includes a full glossary table of basic terms, and has extensive commentary that doesn't add actionable value. The risk assessment table, key concepts table, and tools descriptions are largely redundant for Claude.	1 / 3
Actionability	The skill provides fully executable bash commands and Python scripts throughout. Commands are copy-paste ready with specific tool invocations, flags, and output parsing. The Python extraction scripts are complete and functional, not pseudocode.	3 / 3
Workflow Clarity	The 6-step workflow is clearly sequenced and logically ordered from triage through reporting. However, there are no explicit validation checkpoints or feedback loops — for example, no step verifies that extracted shellcode is valid before analysis, no verification that JavaScript extraction succeeded before proceeding to deobfuscation, and no error handling guidance for when tools fail or produce unexpected output.	2 / 3
Progressive Disclosure	The entire skill is a monolithic wall of content with no references to external files. Everything — tool descriptions, key concepts glossary, common scenarios, output format templates — is inlined into a single massive document. The Key Concepts table, Tools & Systems section, and Common Scenarios section could all be separate reference files, significantly reducing the main skill's token footprint.	1 / 3
	Total	7 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly defines a specific security-focused niche. It lists concrete tools and actions, provides natural trigger terms a security analyst would use, and explicitly states both what the skill does and when it should activate. The description is concise yet comprehensive with no fluff or vague language.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: analyzes malicious PDFs using named tools (PDFiD, pdf-parser, peepdf), identifies embedded JavaScript/shellcode/exploits/suspicious objects, determines attack vectors, and extracts embedded payloads. Very concrete and detailed.	3 / 3
Completeness	Clearly answers both what (analyzes malicious PDFs to identify embedded threats and extract payloads) and when ('Activates for requests involving PDF malware analysis, malicious document analysis, PDF exploit investigation, or suspicious attachment triage'). Explicit trigger guidance is present.	3 / 3
Trigger Term Quality	Excellent coverage of natural terms users would say: 'malicious PDF', 'PDF malware analysis', 'malicious document analysis', 'PDF exploit', 'suspicious attachment triage', 'shellcode', 'JavaScript'. These are terms a security analyst would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche: malicious PDF analysis with specific security tools. Unlikely to conflict with general PDF processing skills due to the clear focus on malware/exploit analysis and named forensic tools.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: mukul975/Anthropic-Cybersecurity-Skills
Commit: 0445030

Reviewed: 12 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.