Content
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
A clean, well-organized overview that names the right IOCs, but it stops short of giving executable guidance and fails to link the substantive bundle files (the detection script and SIEM query reference), leaving the workflow implicit.
Suggestions
Reference the bundle files explicitly, e.g. "## Detection — run scripts/agent.py against EVTX exports" and "## SIEM queries — see references/api-reference.md," so Claude reaches the executable content.
Replace the conceptual Overview sentence about what PowerShell Empire is with a concrete first step (e.g. acquire EVTX / enable Event ID 4104 logging) to improve both conciseness and actionability.
Add an explicit ordered workflow with a verification checkpoint, e.g. scan logs → decode Base64 → confirm staging URI/module match → emit JSON report, to lift workflow clarity from 2 to 3.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The body is mostly efficient and well-sectioned, but the Overview explains a concept Claude already knows ("PowerShell Empire is a post-exploitation framework consisting of listeners, stagers, and agents"), which is unnecessary context that keeps it below the lean/efficient anchor. | 2 / 3 |
Actionability | It gives concrete IOC strings (launcher flags, stager patterns, module names) but no executable code or commands in the body, and it never directs Claude to the provided scripts/agent.py that performs the actual detection, so guidance is incomplete. | 2 / 3 |
Workflow Clarity | Sections imply a loose sequence (Prerequisites → Key Detection Patterns → Output) but there is no explicit ordered workflow or validation/verification checkpoint for the analysis process, matching the "sequence present but checkpoints missing" anchor. | 2 / 3 |
Progressive Disclosure | The body is a well-organized, lean set of sections, but the bundle files references/api-reference.md and scripts/agent.py exist and are never signaled or linked from SKILL.md, so Claude cannot navigate to the detailed reference and executable script. | 2 / 3 |
Total | 8 / 12 Passed |