CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-powershell-script-block-logging

Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.

67

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

80%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A concise, actionable body with concrete commands and a complete bundled analyzer script. The two gaps are a missing validation/verification checkpoint in the batch workflow and an orphaned reference file (api-reference.md) that is never linked from SKILL.md.

Suggestions

Add an explicit validation step to the workflow, e.g. verifying the EVTX parsed non-zero records and confirming the report file was written with expected findings, rather than relying on silent error swallowing.

Link references/api-reference.md from the body (e.g. a '## API reference' section pointing to it) so the bundled reference is discoverable and not orphaned.

Consider surfacing the key detection-pattern table from api-reference.md or cross-referencing it so analysts can extend heuristics without reading source.

DimensionReasoningScore

Conciseness

The ~45-line body is lean with no explanation of concepts Claude already knows; instructions and examples are tight and assume competence, matching the level-3 anchor; it avoids the verbosity that would drop it to 2.

3 / 3

Actionability

Provides executable guidance throughout — 'pip install python-evtx lxml', the exact EVTX filename, named heuristics with concrete pattern strings, a runnable 'python scripts/agent.py --evtx-file ... --output ps_analysis.json' command, and a complete executable bundled script — matching the level-3 copy-paste-ready anchor.

3 / 3

Workflow Clarity

Steps 1–5 are clearly sequenced, but there is no validation/verification checkpoint for this batch EVTX-parsing operation, and the bundled agent.py silently swallows parse errors ('except Exception: continue'); per the guideline, missing validation for batch operations caps workflow clarity at 2 rather than 3.

2 / 3

Progressive Disclosure

The body signals scripts/agent.py via the command path, but references/api-reference.md is an orphan never linked from the body; scored against the actual bundle, one reference is present but not clearly signaled, matching the level-2 anchor rather than the well-signaled level-3 case.

2 / 3

Total

10

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, well-scoped cybersecurity description with strong natural trigger terms and low conflict risk, written in correct third-person voice. Its main gap is the missing explicit 'Use when...' trigger guidance, which caps completeness at 2.

Suggestions

Append an explicit trigger clause, e.g. 'Use when analyzing PowerShell Operational EVTX logs, investigating suspicious PowerShell execution, or threat hunting for obfuscated/encoded commands.'

Keep the existing concrete action list intact; only add the 'when' trigger rather than expanding 'what'.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('Parse...EVTX files to detect obfuscated commands, encoded payloads', 'reconstruct multi-block scripts', 'applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts'), matching the level-3 anchor of multiple specific concrete actions.

3 / 3

Completeness

It clearly answers 'what' the skill does but lacks any 'Use when...' clause or equivalent explicit trigger guidance, so per the judging guideline completeness is capped at 2; it is not a 3 because the 'when' is only implied, and not a 1 because 'what' is thorough.

2 / 3

Trigger Term Quality

Contains natural analyst-facing keywords ('PowerShell', 'Script Block Logs', 'Event ID 4104', 'EVTX', 'obfuscated commands', 'Base64', 'download cradles', 'AMSI bypass') with good coverage of terms a user would naturally say, rather than only abstract jargon.

3 / 3

Distinctiveness Conflict Risk

A clear niche (Windows PowerShell Script Block Logs, Event ID 4104 from EVTX) with distinct triggers makes it unlikely to fire for unrelated skills, matching the level-3 anchor; it is more specific than the level-2 'could overlap' case.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.