analyzing-prefetch-files-for-execution-history
Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.
63
55%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-prefetch-files-for-execution-history/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies a niche forensic capability with excellent domain-specific trigger terms. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. Adding trigger guidance would elevate this from good to excellent.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about Windows Prefetch analysis, .pf files, program execution forensics, or needs to investigate which programs ran on a Windows system.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Parse Windows Prefetch files', 'determine program execution history', 'run counts', 'timestamps', 'referenced files', and 'forensic investigation'. These are all concrete, specific capabilities. | 3 / 3 |
Completeness | The 'what' is clearly answered (parse Prefetch files, determine execution history with run counts/timestamps/referenced files). However, there is no explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensic analyst would use: 'Windows Prefetch files', 'program execution history', 'run counts', 'timestamps', 'referenced files', 'forensic investigation'. These are terms users in this domain would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — 'Windows Prefetch files' is a very specific forensic artifact type, and the combination with 'forensic investigation' creates a clear niche that is unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is comprehensive in coverage but severely over-engineered for a SKILL.md file. It explains too many basic concepts Claude already knows, includes redundant reference tables that bloat the token count, and provides an incomplete custom Python parser instead of leveraging the library it installs. The workflow is logically sound but lacks validation checkpoints for forensic integrity, and all content is crammed into a single file with no progressive disclosure.
Suggestions
Remove the Key Concepts and Tools & Systems tables entirely or move them to a separate REFERENCE.md file—Claude already knows what Prefetch files are and what these tools do.
Either use the `prefetch` Python library that's pip-installed, or remove the pip install line and note the custom parser's limitations clearly; the current approach is contradictory and the custom parser fails on Windows 10 compressed files.
Add explicit validation checkpoints: verify forensic image mount succeeded, verify file integrity after copy matches source, validate parser output completeness before building the timeline.
Move Common Scenarios and the detailed Output Format to separate files, keeping SKILL.md as a concise overview with links to detailed references.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what Prefetch is, what SCCA signatures are, what run counts mean), includes a full Key Concepts table of basic definitions, a Tools & Systems reference table, and lengthy Common Scenarios that describe rather than instruct. The Python parser reimplements well-known logic at length when a library call would suffice. | 1 / 3 |
Actionability | The skill provides concrete commands and executable Python code, which is good. However, the Python parser is incomplete (the MAM/Win10 compressed format bails out, the lznt1 import won't work without additional setup), and the `pip install prefetch` library is installed but never actually used—instead a custom parser is written. The PECmd commands are concrete but mix Windows and Linux paths inconsistently. | 2 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered (extract → parse → analyze → identify suspicious → timeline). However, there are no validation checkpoints—no verification that the forensic image mounted correctly, no integrity check after copying files, no validation that the parser output is complete or correct before proceeding to analysis steps. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of content with no references to external files. The Key Concepts table, Tools & Systems table, Common Scenarios section, and Output Format could all be split into separate reference files. Everything is inline, making this a very long single document with no navigation structure beyond sequential headers. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.