analyzing-slack-space-and-file-system-artifacts
Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-slack-space-and-file-system-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, technically specific description that clearly defines its forensic analysis capabilities on NTFS volumes with excellent domain-specific trigger terms. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The description uses proper third-person voice and avoids vague language.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about NTFS forensics, file recovery, disk analysis, or investigating file system artifacts like MFT, USN journal, or slack space.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: examining slack space, MFT entries, USN journal, alternate data streams, recovering hidden data, and reconstructing file activity on NTFS volumes. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific forensic actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes highly specific and natural trigger terms a forensics user would use: 'slack space', 'MFT entries', 'USN journal', 'alternate data streams', 'NTFS', 'hidden data', 'file activity'. These are the exact terms a digital forensics practitioner would mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused on NTFS forensics with very specific technical terms (MFT, USN journal, slack space, alternate data streams) that are unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels at actionability with complete, executable commands and scripts for NTFS forensic analysis, but suffers significantly from verbosity and poor progressive disclosure. The inline Python scripts are unnecessarily long for a SKILL.md overview, the key concepts table explains things Claude already knows about NTFS, and there's no use of external reference files to manage the substantial content volume. Validation checkpoints are also missing from the forensic workflow.
Suggestions
Move the large Python scripts (MFT parser, USN journal parser) to separate reference files and link to them from the main skill with brief descriptions of what each does.
Remove the Key Concepts table entirely - Claude already understands NTFS structures, MFT attributes, and timestomping. Keep only non-obvious project-specific conventions.
Add explicit validation checkpoints: verify image hash before extraction, validate extracted MFT file size, confirm USN journal integrity before parsing.
Consolidate the Tools & Systems table and Common Scenarios into a linked reference file, keeping only the core 5-step workflow with concise command examples in the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It explains concepts Claude already knows (what file slack is, what RAM slack is, what ADS are), includes a full key concepts table defining basic NTFS structures, and the inline Python scripts are excessively long with detailed struct parsing that could be referenced externally. The reason flags dictionary and USN record parsing are particularly bloated. | 1 / 3 |
Actionability | The skill provides fully executable bash commands and Python scripts with specific tool invocations, file paths, and concrete examples. Commands like icat, fls, blkls are shown with real flags and arguments. The Python USN parser is complete and executable with struct unpacking and CSV output. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced (extract artifacts → analyze MFT → analyze slack → parse USN → detect ADS), but there are no explicit validation checkpoints or error recovery steps. For forensic operations where data integrity is critical, there should be hash verification steps and validation of extracted artifacts before analysis proceeds. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of text with no references to external files. The 100+ line Python scripts for MFT analysis and USN parsing should be in separate reference files. The key concepts table, tools table, and common scenarios sections all add bulk that could be split into supplementary documents. Everything is inline with no navigation structure. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.