analyzing-ransomware-encryption-mechanisms
Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to assess decryption feasibility, identify implementation weaknesses, and support recovery efforts. Covers AES, RSA, ChaCha20, and hybrid encryption schemes. Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a specific niche (ransomware encryption analysis), lists concrete actions and specific algorithms, and provides explicit activation triggers. It uses proper third-person voice throughout and balances conciseness with comprehensive coverage of both capabilities and trigger conditions.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'analyzes encryption algorithms, key management, and file encryption routines', 'assess decryption feasibility', 'identify implementation weaknesses', 'support recovery efforts'. Also names specific algorithms: AES, RSA, ChaCha20, hybrid encryption schemes. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes encryption algorithms, key management, file encryption routines to assess decryption feasibility and identify weaknesses) and 'when' ('Activates for requests involving ransomware cryptanalysis, encryption analysis, key recovery assessment, or ransomware decryption feasibility'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords a user would use: 'ransomware', 'cryptanalysis', 'encryption analysis', 'key recovery', 'decryption feasibility', plus specific algorithm names (AES, RSA, ChaCha20). These cover the natural terms a security analyst would use when seeking this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on ransomware encryption analysis and decryption feasibility. The combination of ransomware context with specific cryptographic algorithms and recovery assessment makes it very unlikely to conflict with general security or general encryption skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable skill with a well-structured multi-step workflow and executable code examples covering the full ransomware encryption analysis pipeline. Its main weaknesses are moderate verbosity from glossary definitions and tool descriptions that Claude already knows, and a monolithic structure that could benefit from splitting reference material into separate files. The safety considerations (working on copies, verification steps) are well-integrated throughout.
Suggestions
Remove or significantly trim the Key Concepts glossary table and Tools & Systems section, as Claude already understands these cryptographic concepts and tools.
Extract the output format template and common encryption schemes reference table into separate files (e.g., OUTPUT_TEMPLATE.md, ENCRYPTION_SCHEMES.md) and link to them from the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary content for Claude, such as the Key Concepts glossary table explaining well-known cryptographic terms (CSPRNG, ECB mode, hybrid encryption) and the Tools & Systems section describing what Ghidra and PyCryptodome are. The ASCII table of common encryption schemes is efficient, but the overall document could be tightened by ~30%. | 2 / 3 |
Actionability | The skill provides fully executable Python code for detecting crypto API imports, checking key reuse, brute-forcing timestamp-derived keys, detecting ECB mode, and XOR key recovery. The Ghidra pseudo-code decompilation example is realistic and instructive. Commands and specific tools are named with concrete usage patterns. | 3 / 3 |
Workflow Clarity | The 6-step workflow is clearly sequenced from identification through analysis to documentation. Validation checkpoints are present: Step 4 explicitly tests for weaknesses before attempting recovery in Step 5, and the scenario section emphasizes working on copies and verifying assumptions. The pitfalls section adds important safety guardrails for destructive operations. | 3 / 3 |
Progressive Disclosure | The content is a single monolithic file with no references to external detailed documents. At ~250+ lines, the Key Concepts table, Tools & Systems section, and detailed output format template could be split into separate reference files. The structure within the file is good with clear headers, but the lack of any cross-references to supplementary materials means it's not optimally organized for progressive disclosure. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.