CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-usb-device-connection-history

Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A highly actionable, well-sequenced forensic workflow with executable code throughout, but it is verbose, lacks validation checkpoints, and fails to leverage its own bundle files by keeping full scripts and API detail inline rather than linking out.

Suggestions

Replace the inline full scripts with pointers to scripts/agent.py and consolidate registry-path detail into references/api-reference.md, keeping only a concise Quick-start snippet in the body.

Add validation checkpoints between steps (e.g., verify hives mounted and usb_devices.json populated before Step 5, handle the unstated analysis/ output directory).

Trim the 'Key Concepts' table to only non-obvious entries (e.g., EMDMgmt, DeviceContainers) and drop definitions Claude already knows like VID/PID.

DimensionReasoningScore

Conciseness

The body embeds several full-length inline Python heredocs with repeated imports and try/except boilerplate, plus a 'Key Concepts' table defining USBSTOR/VID-PID that a forensics-capable Claude largely already knows; it is mostly actionable but could be tightened and is not fully lean.

2 / 3

Actionability

Provides fully executable bash and Python with concrete paths, specific registry keys, and copy-paste-ready commands across all five steps rather than vague direction or pseudocode.

3 / 3

Workflow Clarity

Steps 1–5 are clearly sequenced, but there are no validation/verification checkpoints (e.g., confirming artifacts were extracted or hives parsed) and no feedback loops for the batch parsing of multiple hives, so checkpoints remain implicit.

2 / 3

Progressive Disclosure

Bundle files exist (references/api-reference.md, scripts/agent.py) that duplicate registry-parsing detail and a full script, yet the body never links to them and instead inlines that content; sections are organized but references are unsignaled and content that belongs in separate files is inline.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, well-targeted forensics description that names concrete sources and outcomes and avoids vague language, but it omits an explicit 'Use when...' trigger clause, leaving the when-to-use intent implied rather than stated.

Suggestions

Add an explicit trigger clause, e.g. 'Use when investigating USB/removable-media usage, insider-threat data exfiltration, or correlating device connections with file access during an incident.'

Include common user phrasings such as 'USB drive', 'thumb drive', or 'removable storage forensics' to broaden natural trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions and sources — 'Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration' — naming registry, event logs, and setupapi as distinct sources plus tracking usage and exfiltration as outcomes.

3 / 3

Completeness

It clearly answers 'what' but provides no explicit 'Use when...' or equivalent trigger guidance, so per the judging guideline completeness is capped at 2 rather than reaching the explicit-when level of 3.

2 / 3

Trigger Term Quality

Natural forensics vocabulary a user would actually say — 'USB device connection history', 'removable media usage', 'data exfiltration', 'Windows registry', 'event logs' — giving good coverage of likely trigger phrasings.

3 / 3

Distinctiveness Conflict Risk

USB connection-history forensics is a clear, narrow niche with distinct triggers unlikely to conflict with other skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.