analyzing-powershell-script-block-logging
Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded payloads, and living-off-the-land techniques. Uses python-evtx to extract and reconstruct multi-block scripts, applies entropy analysis and pattern matching for Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-powershell-script-block-logging/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a highly specific and technically detailed skill description that excels at naming concrete actions and including natural trigger terms for the security forensics domain. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. The description is well-written in third person and avoids vague language.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to analyze EVTX files, investigate PowerShell execution logs, detect obfuscated scripts, or perform forensic analysis of Windows event logs.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parsing PowerShell Script Block Logs (Event ID 4104), extracting and reconstructing multi-block scripts, applying entropy analysis and pattern matching, detecting Base64-encoded commands, Invoke-Expression abuse, download cradles, and AMSI bypass attempts. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and techniques. However, there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill, which caps this dimension at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Excellent coverage of natural keywords a security analyst would use: 'PowerShell', 'Script Block Logs', 'Event ID 4104', 'EVTX', 'obfuscated commands', 'encoded payloads', 'living-off-the-land', 'Base64', 'Invoke-Expression', 'AMSI bypass', 'download cradles'. These are highly specific and natural terms in the security/forensics domain. | 3 / 3 |
Distinctiveness Conflict Risk | Extremely distinct niche: Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files with specific detection techniques. This is unlikely to conflict with any other skill due to its highly specialized forensic/security focus and precise technical scope. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level outline for PowerShell Script Block Log analysis but falls short on actionability and structure. The code examples are incomplete fragments rather than executable workflows, key referenced files (agent.py) are missing, and generic boilerplate sections dilute the useful content. The detection heuristics list is valuable but would benefit from concrete, copy-paste-ready implementations.
Suggestions
Remove the generic 'When to Use' and 'Prerequisites' sections (or reduce to 1-2 lines) and replace with domain-specific constraints Claude actually needs.
Provide a complete, executable Python script for parsing EVTX files and reconstructing multi-block scripts, rather than pseudocode fragments and references to a non-existent agent.py.
Add explicit validation checkpoints: e.g., verify EVTX file is readable, confirm Event ID 4104 events exist, validate reconstructed script block completeness before applying heuristics.
Either include bundle files (agent.py, detection patterns reference, MITRE mapping table) or inline the critical detection logic as complete executable code.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler (e.g., 'Familiarity with security operations concepts', 'Access to a test or lab environment') that don't add value for Claude. The core instructions are reasonably tight but the surrounding boilerplate wastes tokens. | 2 / 3 |
Actionability | There are some concrete snippets (pip install, base64 decode example, CLI invocation) but the main workflow steps 3-5 are descriptive rather than executable. The multi-block reconstruction example is prose with no actual code showing the concatenation logic. The agent.py script is referenced but not provided. | 2 / 3 |
Workflow Clarity | Steps are listed in a logical sequence (install → collect → parse → detect → report), but there are no validation checkpoints, no error handling guidance, and no feedback loops for when parsing fails or heuristics produce false positives. For a multi-step process involving file parsing and detection, this lacks verification steps. | 2 / 3 |
Progressive Disclosure | Everything is in a single monolithic file with no references to supporting documents, no bundle files, and the referenced `scripts/agent.py` doesn't exist in the bundle. There's no separation of the detection patterns, MITRE mappings, or advanced usage into supplementary files. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.