analyzing-slack-space-and-file-system-artifacts
Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-slack-space-and-file-system-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically precise description that clearly identifies its niche in NTFS digital forensics with excellent specificity and trigger terms. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill over others. The domain-specific terminology ensures minimal conflict risk with other skills.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about NTFS forensics, file recovery, disk forensics, MFT analysis, or investigating hidden data on Windows volumes.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: examining slack space, MFT entries, USN journal, alternate data streams, recovering hidden data, and reconstructing file activity on NTFS volumes. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (examine slack space, MFT entries, USN journal, ADS to recover hidden data and reconstruct file activity), but lacks an explicit 'Use when...' clause specifying when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Includes highly specific natural keywords a forensics user would say: 'slack space', 'MFT entries', 'USN journal', 'alternate data streams', 'NTFS', 'hidden data', 'file activity'. These are the exact terms a digital forensics practitioner would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in NTFS forensics. The specific technical terms (MFT, USN journal, slack space, alternate data streams) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, concrete forensic analysis guidance with executable code and specific tool commands, which is its primary strength. However, it is severely over-long and monolithic—embedding large Python scripts inline, including redundant concept explanations, and lacking any progressive disclosure structure. The workflow is logically sequenced but missing validation checkpoints critical for forensic integrity.
Suggestions
Extract the large inline Python scripts (USN parser, MFT analyzer) into separate referenced files (e.g., scripts/parse_usn.py, scripts/analyze_mft.py) and reference them from the main skill.
Remove the Key Concepts table—these definitions are either already known to Claude or adequately conveyed by the workflow steps themselves.
Add explicit validation checkpoints after artifact extraction (e.g., verify file sizes, hash extracted MFT/USN files) and after parsing steps (e.g., confirm record counts, check for parsing errors).
Move Common Scenarios and the Tools & Systems table to a separate reference file to keep the main skill focused on the executable workflow.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It includes extensive inline Python scripts for USN journal parsing and MFT analysis that could be separate files, explains concepts Claude already knows (what file slack is, what RAM slack is, what ADS are), and the Key Concepts table is largely redundant given the detailed workflow already covers these. The Tools & Systems table also adds bulk without actionable value. | 1 / 3 |
Actionability | The skill provides fully executable bash commands and Python scripts with specific tool invocations, file paths, struct formats, and flag definitions. The USN journal parser, MFT analysis script, and Sleuth Kit commands are concrete and copy-paste ready with real parameters. | 3 / 3 |
Workflow Clarity | The five steps are clearly sequenced and logically ordered (extract → analyze MFT → slack space → USN journal → ADS). However, there are no explicit validation checkpoints or error recovery steps between stages. For forensic operations where data integrity is critical, the absence of verification steps (e.g., hash verification of extracted artifacts, validation of parsed output) is a notable gap. | 2 / 3 |
Progressive Disclosure | The entire skill is a monolithic wall of content with no references to external files. Massive inline Python scripts (USN parser ~80 lines, MFT analysis ~60 lines) should be in separate referenced files. The Common Scenarios, Key Concepts table, Tools table, and Output Format sections all add bulk that could be split into supporting documents. No bundle files are provided to offload this content. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.