analyzing-slack-space-and-file-system-artifacts
Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-slack-space-and-file-system-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically specific description that clearly identifies its niche in NTFS digital forensics with excellent domain-specific trigger terms. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The specificity and distinctiveness are excellent, making it unlikely to conflict with other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about NTFS forensics, file recovery, digital forensics analysis, or investigating file system artifacts like MFT, USN journal, or ADS.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: examining slack space, MFT entries, USN journal, alternate data streams, recovering hidden data, and reconstructing file activity on NTFS volumes. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific forensic actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes highly specific and natural trigger terms a forensics user would use: 'slack space', 'MFT entries', 'USN journal', 'alternate data streams', 'NTFS', 'hidden data', 'file activity'. These are the exact terms a digital forensics practitioner would mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in NTFS forensic analysis. Terms like 'MFT entries', 'USN journal', 'slack space', and 'alternate data streams' are extremely specific to NTFS forensics and unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable forensic commands and scripts for NTFS artifact analysis, which is its primary strength. However, it is severely over-long and monolithic—inline Python scripts spanning 50-80 lines each, redundant concept explanations, and reference tables all belong in separate files. The workflow lacks validation checkpoints critical for forensic integrity (hash verification, chain of custody steps).
Suggestions
Move the large inline Python scripts (MFT parser, USN Journal parser) to separate referenced files (e.g., scripts/parse_mft.py, scripts/parse_usn.py) and keep only the invocation commands in SKILL.md
Remove the Key Concepts table entirely—Claude already understands NTFS structures, MFT, ADS, and timestomping; at most keep a one-line reminder about $SI vs $FN timestamp differences
Add explicit validation checkpoints: hash verification of extracted artifacts (md5sum after icat), verification that extracted MFT/USN files are non-empty and valid before parsing
Condense the Tools & Systems table and Common Scenarios section into the workflow steps where they're relevant, or move them to a separate REFERENCE.md file
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It explains concepts Claude already knows (what file slack is, what RAM slack is, what ADS are), includes a full key concepts table defining basic NTFS structures, and the inline Python scripts are excessively long with detailed struct parsing that could be referenced externally. The USN Journal parser alone is ~80 lines of inline code. | 1 / 3 |
Actionability | The skill provides fully executable bash commands and Python scripts with specific tool invocations, file paths, and flags. Code is copy-paste ready with real tool names (MFTECmd, icat, blkls, foremost, bulk_extractor) and concrete examples including struct offsets and flag definitions. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced (extract artifacts → analyze MFT → analyze slack → parse USN → detect ADS), but there are no explicit validation checkpoints or error recovery steps. For forensic operations where data integrity is critical, there should be hash verification steps and validation of extracted artifacts before analysis. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with no references to external files. The 80-line USN parser, the MFT analysis script, and the extensive reference tables should all be in separate files. Everything is inlined into a single massive document with no navigation structure beyond sequential steps. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.