analyzing-usb-device-connection-history
Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-usb-device-connection-history/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies the forensic domain (USB device investigation on Windows) with concrete data sources and use cases. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The trigger terms are excellent and naturally align with how forensic analysts would phrase their requests.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about USB forensics, removable device history, or tracking what USB devices were connected to a Windows system.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: investigate USB device connection history, track removable media usage, and detect potential data exfiltration. Also specifies concrete data sources: Windows registry, event logs, and setupapi logs. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (investigate USB device connection history from specific sources), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'USB device', 'connection history', 'Windows registry', 'event logs', 'setupapi logs', 'removable media', 'data exfiltration'. These cover both forensic investigator terminology and common user language. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining USB forensics, Windows-specific artifacts (registry, setupapi logs), and data exfiltration tracking. Very unlikely to conflict with other skills due to the specific forensic domain and platform focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides highly actionable, executable forensic analysis code for USB device history investigation with well-structured Python scripts covering all major artifact sources. Its main weaknesses are verbosity from reference tables and scenario descriptions that don't add executable value, and the lack of explicit validation checkpoints in the forensic workflow where data integrity verification is critical.
Suggestions
Add explicit validation checkpoints after artifact extraction (e.g., verify file existence/integrity before parsing) and after each parsing step to confirm expected data was recovered.
Move the Key Concepts table, Tools & Systems table, and Common Scenarios section to a separate reference file (e.g., USB_REFERENCE.md) and link to it, keeping SKILL.md focused on the executable workflow.
Remove explanatory descriptions Claude already knows (e.g., what VID/PID means, what SetupAPI logs are) from the Key Concepts table to reduce token usage.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly comprehensive but includes some unnecessary content like the Key Concepts table (Claude knows what VID/PID and USBSTOR are), the Tools & Systems table (listing tools without actionable usage instructions), and the Common Scenarios section which describes investigative approaches at a high level without adding executable value. The core workflow steps are reasonably efficient though. | 2 / 3 |
Actionability | The workflow provides fully executable Python scripts with specific registry parsing code, regex patterns for SetupAPI log parsing, event log parsing, and CSV timeline generation. Commands are copy-paste ready with concrete paths, specific registry key paths, and real parsing logic using python-registry and evtx libraries. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced from artifact extraction through timeline building, but lacks explicit validation checkpoints. There are no verification steps to confirm artifacts were successfully copied, no checks that registry parsing succeeded before proceeding, and no error recovery guidance beyond basic try/except blocks in the code. For forensic operations where data integrity matters, validation gaps are notable. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with everything inline. The Common Scenarios, Key Concepts table, and Tools table could be split into separate reference files. There are no references to external files for advanced topics. However, the sections are well-organized with clear headers, which partially compensates. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.