analyzing-persistence-mechanisms-in-linux
Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring
66
58%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-persistence-mechanisms-in-linux/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically specific description that clearly enumerates the concrete persistence mechanisms and tools involved, making it highly distinctive and rich in natural trigger terms. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about detecting backdoors, investigating Linux persistence, auditing cron jobs, or checking for unauthorized system modifications.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and mechanisms: crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, authorized_keys backdoors, auditd, and file integrity monitoring. These are highly specific and actionable. | 3 / 3 |
Completeness | The 'what' is well-covered (detect and analyze Linux persistence mechanisms using specific tools), but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. Per rubric guidelines, this caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes many natural keywords a security professional would use: 'persistence mechanisms', 'crontab', 'systemd', 'LD_PRELOAD', 'bashrc', 'authorized_keys', 'auditd', 'file integrity monitoring', 'backdoors'. These are terms users would naturally mention when dealing with this domain. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Linux persistence mechanism detection. The combination of specific attack vectors (LD_PRELOAD hijacking, authorized_keys backdoors) and monitoring tools (auditd, file integrity monitoring) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
35%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a high-level procedure outline than an actionable skill for Claude. It identifies the right persistence vectors and provides a logical sequence, but critically lacks any concrete commands, code snippets, auditd query examples, or detection patterns that would make it executable. The 'When to Use' section adds generic filler without value.
Suggestions
Add concrete, executable commands for each step (e.g., `crontab -l -u <user>`, `ausearch -k persistence_watch -ts recent`, specific grep/find commands for each persistence path)
Include a Python script or shell script example that performs the scanning and produces the JSON report described in Expected Output
Add validation checkpoints such as verifying auditd is running and has the required rules before attempting log correlation
Remove or significantly condense the 'When to Use' section, which provides generic guidance Claude doesn't need
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content includes some unnecessary filler like the 'When to Use' section with generic bullet points that don't add value for Claude. The overview paragraph is reasonable but could be tighter. The steps are described at a high level without bloat, but the generic applicability statements waste tokens. | 2 / 3 |
Actionability | The skill provides no concrete code, commands, or executable examples. Every step is described abstractly ('Enumerate all user crontabs', 'Check /etc/ld.so.preload') without showing actual commands, scripts, or specific auditd query syntax. This is entirely descriptive rather than instructive. | 1 / 3 |
Workflow Clarity | The steps are listed in a logical sequence and numbered, which provides basic workflow structure. However, there are no validation checkpoints, no error handling guidance, and no feedback loops for when findings need deeper investigation or when auditd logs are incomplete. | 2 / 3 |
Progressive Disclosure | The content has reasonable section organization (Overview, Prerequisites, Steps, Expected Output) but everything is inline with no references to detailed sub-documents. Given the breadth of 7 distinct persistence vectors, the skill would benefit from linking to detailed reference files for each vector's detection commands and patterns. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.