CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-slack-space-and-file-system-artifacts

Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Critical

Do not install without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is highly actionable with complete executable tooling, but it is verbose with duplicated inline parsers, lacks validation checkpoints in its forensic workflow, and fails to signpost the existing bundle files. Tightening inline code and adding navigation to references would materially improve it.

Suggestions

Move the long inline USN/MFT parsers out of the body and reference scripts/agent.py instead, keeping only short illustrative snippets inline.

Add explicit validation checkpoints (e.g. verify $MFT/UsnJrnl extracted correctly before parsing) and a validate-fix-retry loop for the extraction steps.

Signpost references/api-reference.md and scripts/agent.py from the body (e.g. a 'References' section) and remove the TSK command duplication between the body and the reference file.

DimensionReasoningScore

Conciseness

The ~370-line body inlines large verbatim parsers (e.g. a full USN_RECORD_V2 struct.unpack parser) that are duplicated in scripts/agent.py and re-explains concepts Claude already knows, so it is mostly efficient but could be tightened considerably.

2 / 3

Actionability

It provides fully executable, copy-paste-ready TSK bash commands and complete Python parsers with specific paths, flags, and struct offsets rather than vague or pseudocode guidance.

3 / 3

Workflow Clarity

Five steps are clearly sequenced, but destructive/batch forensic extraction steps lack validation checkpoints or validate-fix-retry feedback loops, which the rubric caps at 2 for such operations.

2 / 3

Progressive Disclosure

Real bundle files exist (references/api-reference.md, scripts/agent.py) but are never referenced or signaled from the body, and the inline TSK command reference duplicates api-reference.md, so structure is present but not clearly organized or split.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, distinctive, and rich in natural domain trigger terms, but it omits an explicit "Use when..." trigger clause, which caps its completeness at 2. Adding explicit usage triggers would raise it to a top score.

Suggestions

Add an explicit 'Use when...' clause, e.g. 'Use when analyzing NTFS volumes for hidden data, deleted-file activity, or alternate data streams.'

Mirror common user phrasings of the triggers (e.g. 'deleted files', 'file activity timeline') alongside the technical terms.

DimensionReasoningScore

Specificity

"Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity" lists multiple specific concrete actions and targets across four artifact types.

3 / 3

Completeness

It clearly answers "what" (examine slack/MFT/USN/ADS to recover and reconstruct) but lacks an explicit "Use when..." clause, so per the rubric the missing trigger guidance caps completeness at 2.

2 / 3

Trigger Term Quality

It includes the natural forensic terms users would say for this domain — "slack space," "MFT," "USN journal," "alternate data streams," "hidden data," "NTFS" — giving good coverage of natural trigger terms.

3 / 3

Distinctiveness Conflict Risk

The NTFS slack-space/MFT/USN/ADS forensic niche is highly specific with distinct triggers, making it unlikely to fire for the wrong skill.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.