analyzing-persistence-mechanisms-in-linux
Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
52
58%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-persistence-mechanisms-in-linux/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically specific description that clearly enumerates the concrete persistence mechanisms and tools involved. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical terminology is well-chosen and would match natural user queries in the security domain.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when investigating Linux host compromise, hunting for persistence, or auditing system configurations for backdoors.'
Consider adding broader trigger terms like 'incident response', 'threat hunting', or 'post-exploitation' to capture users who may not name specific mechanisms.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and mechanisms: crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, authorized_keys backdoors, auditd, and file integrity monitoring. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific detection and analysis capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural keywords a security professional would use: 'persistence mechanisms', 'crontab', 'systemd', 'LD_PRELOAD', 'bashrc', 'authorized_keys', 'auditd', 'file integrity monitoring', 'backdoors'. These are terms users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in Linux persistence mechanism detection. The specific enumeration of mechanisms (crontab, systemd, LD_PRELOAD, bashrc, authorized_keys) and tools (auditd, file integrity monitoring) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a table of contents or checklist than actionable guidance. It identifies the right persistence vectors and follows a logical sequence, but critically lacks any concrete commands, code, regex patterns, auditd queries, or example outputs that would make it executable. Claude would need to rely entirely on its own knowledge to implement every step, which defeats the purpose of a skill file.
Suggestions
Add concrete, executable commands for each step — e.g., specific `ausearch` queries for auditd correlation, `find` commands for authorized_keys discovery, grep patterns for LD_PRELOAD detection, and `systemctl` commands for unit auditing.
Include at least one complete code example (e.g., a Python script or shell script) that demonstrates scanning one persistence vector end-to-end with sample output.
Add an example of the expected JSON output schema so Claude knows the exact format to produce.
Remove the generic 'When to Use' section entirely — it adds no value Claude can't infer — and use that space for actionable detection logic.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' section is largely filler that Claude can infer, and the overview restates what the steps already cover. The prerequisites section is useful but could be tighter. Some unnecessary padding but not egregiously verbose. | 2 / 3 |
Actionability | The skill provides only high-level descriptions of what to do ('Scan crontab entries', 'Check SSH Authorized Keys') without any concrete commands, code snippets, file paths to grep, specific auditd query syntax, or executable examples. It describes rather than instructs. | 1 / 3 |
Workflow Clarity | Steps are listed in a logical sequence and numbered, but there are no validation checkpoints, no error handling guidance, no feedback loops for when findings are ambiguous, and no concrete verification steps between stages. For a security investigation workflow involving potentially destructive remediation commands, this lacks necessary validation. | 2 / 3 |
Progressive Disclosure | The content is organized into clear sections (Overview, Prerequisites, Steps, Expected Output), but all content is inline with no references to supporting files. Given there are no bundle files, this is somewhat acceptable, but the skill would benefit from separating detailed detection logic, example outputs, and remediation commands into referenced files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.