analyzing-slack-space-and-file-system-artifacts
Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-slack-space-and-file-system-artifacts/SKILL.mdSecurity
2 findings — 1 critical severity, 1 medium severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
E005: Suspicious download URL detected in skill instructions
What this means
Detected a suspicious URL in the skill instructions that could lead the agent to download and execute malicious scripts or binaries. This includes links to executables from untrusted sources, typosquatting of official packages, URL shorteners that obscure the destination, and personal file hosting services.
Why it was flagged
Suspicious download URL detected (high risk: 1.00). While most listed URLs point to legitimate forensic tools and vendor pages, the presence of direct .exe download links on malicious-site.com and cdn.malicious-site.com makes this set high risk because they are direct executables hosted on an untrusted/suspicious domain (a common malware distribution pattern, and even referenced as HostUrl/ReferrerUrl in the skill), so the overall source should be treated as malicious.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.85). The required runtime workflow ingests **outsider-authored free text** from the **forensic disk image’s NTFS artifacts** (e.g., `$UsnJrnl:$J` filenames and slack-space strings are decoded as UTF-16/UTF-8 and placed into the agent’s LLM context via `parse_usn_journal()` and `search_slack_keywords()`), and those strings originate from other users/systems rather than the operating user.
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.