CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-uefi-bootkit-persistence

Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis, firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.

69

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

70%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with concrete, executable forensic commands and a realistic worked scenario, but it is padded with a large report template and conceptual tables and lacks explicit validation checkpoints and clear signaling to the api-reference/agent bundle files.

Suggestions

Move the full report output template (lines 294-371) into the references bundle and replace it with a one-line pointer plus the required report fields, reducing inline tokens.

Add explicit validation checkpoints to destructive steps (e.g., 'verify firmware dump integrity before remediation; only reflash after hash confirmation') with fix-and-retry feedback loops.

Clearly signal the bundle files in the body with links (e.g., 'See [api-reference.md](references/api-reference.md) for full command syntax' and 'See [agent.py](scripts/agent.py) for the automated analyzer').

DimensionReasoningScore

Conciseness

Mostly efficient with concrete commands, but the large report template (lines 294-371), verbose Key Concepts table, and many illustrative comment lines add tokens beyond what Claude needs; some content overlaps the api-reference bundle.

2 / 3

Actionability

Provides fully executable commands (chipsec, flashrom, UEFIExtract, yara, bcdedit, reg query, vol3) with real GUIDs and module names; the supporting agent.py and api-reference.md make guidance copy-paste ready.

3 / 3

Workflow Clarity

Seven sequential steps are clearly listed, but for destructive/batch operations (firmware dumping, reflashing, key rotation) there are no explicit validate-then-proceed checkpoints or error-recovery feedback loops, which caps the score at 2 per the rubric.

2 / 3

Progressive Disclosure

The body includes inline code and a full report template that could live in the bundle, and references to api-reference.md and agent.py are implicit rather than clearly signaled with linked navigation; structure exists but is not cleanly one-level-deep.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, specific description that clearly states what the skill does and when it activates, with natural trigger terms and a distinct firmware-security niche. Slightly verbose with trailing whitespace but otherwise excellent.

DimensionReasoningScore

Specificity

Lists many concrete actions: 'firmware implants in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation' plus named detection families and techniques.

3 / 3

Completeness

Explicitly answers what ('Analyzes UEFI bootkit persistence mechanisms including...') and when ('Activates for requests involving UEFI malware analysis, firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection').

3 / 3

Trigger Term Quality

Covers natural request terms users would say: 'UEFI malware analysis', 'firmware persistence investigation', 'boot chain integrity verification', and 'Secure Boot bypass detection'.

3 / 3

Distinctiveness Conflict Risk

Highly specific niche with distinct firmware/bootkit triggers; the named families and SPI flash/ESP scope make conflict with other skills unlikely.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.