analyzing-persistence-mechanisms-in-linux
Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
66
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-persistence-mechanisms-in-linux/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically specific description that clearly enumerates the concrete persistence mechanisms and detection tools it covers. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The trigger terms are excellent for the security domain and the skill is highly distinctive.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about detecting backdoors, investigating Linux persistence, hunting for unauthorized crontab/systemd/bashrc changes, or performing host-based threat hunting.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and mechanisms: crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, authorized_keys backdoors, auditd, and file integrity monitoring. These are highly specific and actionable. | 3 / 3 |
Completeness | The 'what' is very well covered (detect and analyze Linux persistence mechanisms using specific tools), but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. Per rubric guidelines, this caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural terms a security professional would use: 'persistence mechanisms', 'crontab', 'systemd', 'LD_PRELOAD', 'bashrc', 'authorized_keys', 'auditd', 'file integrity monitoring'. These are all terms users would naturally mention when dealing with this domain. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Linux persistence mechanism detection. The combination of specific attack vectors (LD_PRELOAD hijacking, authorized_keys backdoors) and specific tools (auditd, file integrity monitoring) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level checklist or table of contents than an actionable skill. It correctly identifies the persistence vectors and logical investigation sequence, but critically lacks any concrete commands, code snippets, or executable examples that would allow Claude to actually perform the analysis. The workflow is sequenced but missing validation checkpoints essential for forensic investigation tasks.
Suggestions
Add concrete, executable commands for each step (e.g., `crontab -l -u <user>`, `ausearch -f /etc/cron.d -ts recent`, `find / -name authorized_keys -exec cat {} \;`) instead of abstract descriptions.
Include a Python script or shell script example that performs the scan and produces the JSON report described in Expected Output, with a sample output schema.
Add validation checkpoints such as verifying auditd is running (`auditctl -s`), confirming audit rules exist for persistence paths (`auditctl -l | grep cron`), and checking for sufficient log retention before attempting correlation.
Remove or condense the generic 'When to Use' section, which adds no value specific to this skill and wastes tokens.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content includes some unnecessary filler (e.g., 'When to Use' bullets are generic and could apply to any security skill, the overview restates what the title already conveys). However, it's not excessively verbose—mostly structured lists without deep explanations of concepts Claude already knows. | 2 / 3 |
Actionability | The skill provides no concrete code, commands, or executable examples. Every step is a high-level description ('Enumerate all user crontabs', 'Check /etc/ld.so.preload') without specifying the actual commands, scripts, or code to run. This is vague direction rather than actionable guidance. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence and numbered, but there are no validation checkpoints, no error handling, and no feedback loops. For a multi-step investigation involving file integrity and auditd correlation, the absence of verification steps (e.g., confirming auditd is running, validating log availability) is a significant gap. | 2 / 3 |
Progressive Disclosure | The content has reasonable section structure (Overview, Prerequisites, Steps, Expected Output), but all content is inline with no references to deeper materials. The steps section could benefit from linking to detailed sub-procedures or example scripts rather than keeping everything at a shallow summary level. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.