analyzing-supply-chain-malware-artifacts
Investigate supply chain attack artifacts including trojanized software updates, compromised build pipelines, and sideloaded dependencies to identify intrusion vectors and scope of compromise.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-supply-chain-malware-artifacts/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly carving out a niche around supply chain attack investigation with concrete artifact types. However, it lacks an explicit 'Use when...' clause, which limits its completeness score and could reduce Claude's ability to reliably select this skill. Adding natural trigger terms and explicit usage guidance would meaningfully improve it.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user mentions supply chain attacks, compromised dependencies, suspicious software updates, or build pipeline security.'
Include more natural user-facing trigger terms such as 'dependency confusion', 'package tampering', 'third-party compromise', 'software supply chain', or 'compromised npm/PyPI packages' to improve keyword coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: investigating trojanized software updates, compromised build pipelines, sideloaded dependencies, identifying intrusion vectors, and scoping compromise. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific investigation activities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which per the rubric caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes relevant domain terms like 'supply chain attack', 'trojanized software updates', 'build pipelines', 'sideloaded dependencies', but these are somewhat technical. Missing more common user-facing terms like 'SolarWinds-style attack', 'dependency confusion', 'package compromise', 'third-party software risk', or file extensions/tool names users might reference. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on supply chain attacks is a clear niche that is unlikely to conflict with general malware analysis, incident response, or other security skills. The specific mention of trojanized updates, build pipelines, and sideloaded dependencies creates a distinct identity. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a solid executable Python script for PE binary comparison but is fundamentally incomplete as a supply chain malware analysis guide—it only covers binary diffing (Step 1) while omitting build pipeline analysis, dependency sideloading, code signing verification, and timeline reconstruction. The overview is verbose with statistics and historical context Claude doesn't need, and the workflow lacks validation checkpoints and error recovery loops critical for forensic investigation procedures.
Suggestions
Complete the workflow by adding concrete steps for build pipeline analysis, dependency verification, code signing validation, and timeline reconstruction—each with executable code or specific tool commands.
Add explicit validation checkpoints between workflow steps (e.g., 'Verify binary diff results before proceeding to dependency analysis') and include error recovery guidance for common failure modes.
Remove the verbose overview statistics and historical examples (SolarWinds customer counts, breach percentages) that Claude already knows, and trim the 'When to Use' section to essential triggers only.
Convert the 'Validation Criteria' bullet list into actionable verification steps with specific commands or checks that confirm each criterion is met.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview contains unnecessary statistics and historical context (e.g., '30% of all breaches', 'a 100% increase from prior years', detailed SolarWinds/3CX descriptions) that Claude already knows. The 'When to Use' section is generic and adds little value. However, the code itself is reasonably focused. | 2 / 3 |
Actionability | The binary comparison script is executable and concrete, but the workflow only covers Step 1 of what should be a multi-step process. There are no concrete commands or code for build pipeline analysis, dependency sideloading detection, code signing verification, or package repository monitoring despite these being listed in prerequisites. The skill promises much more than it delivers. | 2 / 3 |
Workflow Clarity | Only 'Step 1' exists with no subsequent steps, making this an incomplete workflow for a complex multi-step investigation. There are no validation checkpoints, no feedback loops for error recovery, and the 'Validation Criteria' section is just a checklist of desired outcomes rather than actionable verification steps. For a destructive/forensic investigation context, this is insufficient. | 1 / 3 |
Progressive Disclosure | The content has some structure with sections (Overview, Prerequisites, Workflow, Validation, References), and external references are provided. However, the single long code block is inline rather than referenced, and there's no signposting to additional detailed materials for the missing workflow steps (build pipeline analysis, dependency analysis, etc.). | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.