analyzing-usb-device-connection-history
Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-usb-device-connection-history/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted description with strong specificity and excellent trigger terms covering USB forensics on Windows systems. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The domain is distinctive enough to avoid conflicts with other skills.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about USB forensics, removable device tracking, or investigating data exfiltration via USB on Windows systems.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: investigate USB device connection history, track removable media usage, and detect potential data exfiltration. Also specifies concrete data sources: Windows registry, event logs, and setupapi logs. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (investigate USB device connection history from specific sources), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'USB device', 'connection history', 'Windows registry', 'event logs', 'setupapi logs', 'removable media', 'data exfiltration'. These cover both forensic investigation terminology and common user language. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining USB forensics, Windows-specific artifacts (registry, setupapi logs), and data exfiltration tracking. Very unlikely to conflict with other skills due to the specific forensic investigation domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a highly actionable forensic skill with executable Python code for each analysis step, covering the full USB investigation workflow from artifact extraction to timeline generation. Its main weaknesses are verbosity (reference tables, common scenarios, and tool lists that inflate token count without adding critical guidance) and the absence of validation checkpoints between workflow steps, which is important for forensic operations where data integrity matters.
Suggestions
Add explicit validation checkpoints between steps (e.g., verify registry hives exist and are parseable before proceeding to Step 2, validate JSON output before timeline compilation).
Move the Key Concepts table, Tools & Systems table, and Common Scenarios section to a separate reference file (e.g., USB_REFERENCE.md) and link to it from the main skill.
Remove the Prerequisites list items that Claude already knows (e.g., 'Understanding of USB device identification') and trim the 'When to Use' section to reduce token overhead.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly detailed and includes useful executable code, but the Key Concepts table, Tools & Systems table, and Common Scenarios section add significant bulk that largely explains things Claude already knows or could infer. The prerequisites list also includes obvious items. The core workflow is well-targeted but the surrounding material inflates token usage. | 2 / 3 |
Actionability | The skill provides fully executable Python scripts with specific library imports (python-Registry, evtx), concrete file paths, regex patterns, and complete code blocks for each step. Commands are copy-paste ready with real registry paths and parsing logic. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered from extraction through timeline building. However, there are no explicit validation checkpoints or error recovery steps between stages—e.g., no verification that registry hives were successfully copied, no validation of parsed output before proceeding to the next step, and no feedback loops for handling corrupt or missing artifacts. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with all details inline—the extensive code blocks, reference tables, common scenarios, and output format are all in one file. The Common Scenarios and Tools tables could be split into separate reference files with clear links from the main skill, improving navigability. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.