analyzing-slack-space-and-file-system-artifacts
Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-slack-space-and-file-system-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a technically strong description with excellent specificity and highly distinctive forensic terminology that clearly carves out a unique niche. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. Adding trigger guidance would elevate this from good to excellent.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about NTFS forensics, file recovery, disk forensic analysis, or investigating hidden data on Windows volumes.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: examining slack space, MFT entries, USN journal, alternate data streams, recovering hidden data, and reconstructing file activity on NTFS volumes. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific forensic actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes highly specific natural keywords a forensics user would say: 'slack space', 'MFT entries', 'USN journal', 'alternate data streams', 'NTFS', 'hidden data', 'file activity'. These are the exact terms a digital forensics practitioner would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in NTFS forensics. Terms like 'MFT entries', 'USN journal', 'slack space', and 'alternate data streams' are extremely specific and unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable forensic analysis guidance with real commands and complete Python scripts, which is its primary strength. However, it is severely over-long and verbose, explaining concepts Claude already knows, inlining massive code blocks that should be in separate reference files, and lacking validation checkpoints critical for forensic workflows. The content would benefit greatly from being split into a concise overview with references to detailed scripts and tool guides.
Suggestions
Reduce the main SKILL.md to a concise overview (~50-80 lines) with the workflow steps summarized, and move the detailed Python scripts and tool-specific commands into separate referenced files (e.g., MFT_ANALYSIS.md, USN_PARSING.md, SLACK_ANALYSIS.md).
Remove the Key Concepts table entirely or reduce it to only non-obvious forensic-specific details like the $SI vs $FN timestamp distinction — Claude already knows what MFT, ADS, and slack space are.
Add explicit validation checkpoints: verify image hash before analysis, confirm artifact extraction integrity (file sizes, checksums), and validate parsed output counts against expected ranges before proceeding to the next step.
Consolidate the Tools & Systems table and Common Scenarios section into brief inline references rather than separate verbose sections — these add significant token cost with limited actionable value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It explains concepts Claude already knows (what file slack is, what RAM slack is, what ADS are), includes a full key concepts table that's redundant for Claude, and the Python code blocks are excessively long with inline comments explaining basic operations. The USN Journal parser alone is ~80 lines when a reference to pyusn or MFTECmd would suffice. | 1 / 3 |
Actionability | The skill provides fully executable commands and Python scripts with specific tool invocations, file paths, and concrete examples. Commands are copy-paste ready with real tool flags and options, and the Python code includes complete parsing logic with struct formats and flag definitions. | 3 / 3 |
Workflow Clarity | The five steps are clearly sequenced and logically ordered (extract → analyze MFT → slack space → USN journal → ADS). However, there are no explicit validation checkpoints or error recovery steps between stages. For forensic operations where data integrity is critical, there should be verification steps (e.g., hash verification after extraction, confirming artifact integrity before analysis). | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of content with no references to external files. All detailed code, tool references, concepts tables, and scenarios are inlined. The Python USN parser, MFT analysis script, and slack space analysis could each be separate reference files, with the main SKILL.md providing a concise overview and pointers. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.