CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-persistence-mechanisms-in-linux

Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is concise and well-structured but scores lower on actionability, workflow clarity, and progressive disclosure because it neither embeds executable commands nor references the existing scripts/agent.py and references/api-reference.md, and it lacks validation checkpoints for the batch auditing workflow.

Suggestions

Reference the existing bundle from the body: add a step like 'Run `python scripts/agent.py` to automate the scan' and 'See references/api-reference.md for the full auditd rules and per-vector commands'.

Add validation checkpoints, e.g. 'Verify auditd watch rules are loaded (`auditctl -l`) before correlating logs' and 'Confirm each finding's file timestamp before scoring risk'.

Include at least one concrete executable command inline (e.g. the crontab/systemd enumeration commands already in the API reference) so the Steps are copy-paste ready.

DimensionReasoningScore

Conciseness

The body is lean and efficient with no padding or explanation of concepts Claude already knows (no definitions of cron/systemd/LD_PRELOAD), and every section earns its place; matches the score-3 anchor for assuming Claude's competence.

3 / 3

Actionability

Steps name concrete targets (e.g. '/etc/cron.d/', '/etc/ld.so.preload', 'authorized_keys') but provide no executable commands or code in the body, and the provided scripts/agent.py and references/api-reference.md are never invoked or referenced; matches score-2 'some concrete guidance but incomplete' rather than score 3 because nothing is copy-paste ready.

2 / 3

Workflow Clarity

Steps are clearly numbered and sequenced (1–7), but there are no validation/verification checkpoints for batch auditing operations, which caps workflow clarity at 2 per the scoring notes; not score 1 because the sequence is explicit, and not score 3 because no validate-fix-retry feedback loop is present.

2 / 3

Progressive Disclosure

Bundle files exist (references/api-reference.md, scripts/agent.py) and content is well-organized into sections, but neither bundle is signaled or linked from the body, so navigation to the supporting material is poor; matches score-2 'references present but not clearly signaled' rather than score 3.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and distinctive, enumerating concrete persistence vectors and tooling with natural trigger terms, but it omits an explicit 'Use when...' trigger clause, which caps its completeness. Adding a 'Use when...' sentence would raise the completeness dimension.

Suggestions

Add an explicit 'Use when...' clause, e.g. 'Use when investigating Linux persistence, hunting for backdoors, or validating monitoring coverage for crontab/systemd/LD_PRELOAD/SSH-key persistence.'

Consider including common natural phrasings like 'backdoors' or 'persistence hunting' as trigger terms to broaden natural-language matching.

DimensionReasoningScore

Specificity

Lists multiple concrete actions and vectors — 'Detect and analyze', 'crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring' — matching the score-3 anchor for enumerating specific concrete actions; not score 2 because coverage is comprehensive rather than partial.

3 / 3

Completeness

Clearly answers 'what' (detect and analyze persistence mechanisms) but lacks any 'Use when...' clause or equivalent explicit trigger guidance, so completeness is capped at 2 per the judging guidelines; not score 3 because 'when' is only implied, and not score 1 because the 'what' is explicit and specific.

2 / 3

Trigger Term Quality

Contains natural domain terms a threat hunter would say — 'Linux persistence', 'crontab', 'systemd', 'LD_PRELOAD', 'bashrc', 'authorized_keys', 'auditd' — giving good coverage of likely user phrasing; not score 2 because the keyword set is broad rather than missing common variations.

3 / 3

Distinctiveness Conflict Risk

Targets a clear niche with highly specific vectors (LD_PRELOAD hijacking, authorized_keys backdoors) and named tooling (auditd), making it unlikely to trigger for the wrong skill; not score 2 because the named vectors and tools are distinctive rather than generic.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.