CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-windows-amcache-artifacts

Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.

72

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A thorough, highly actionable forensic workflow with clear sequencing and a verification checklist, undermined slightly by verbosity and weak progressive disclosure — the SKILL.md is a monolith that ignores its own bundled reference and script files.

Suggestions

Tighten the Key Concepts table and inline explanations that restate knowledge Claude already has (e.g., defining 'SHA-1 Hash'), and trim the comment-heavy code blocks to reduce token load.

Signal the existing bundle files from the body — point to references/api-reference.md for registry-key/column detail and scripts/agent.py for the programmatic parser — rather than keeping all detail inline with orphaned bundle files.

Move the duplicated registry-key and suspicious-indicator tables out of the body into api-reference.md to keep SKILL.md a concise overview.

DimensionReasoningScore

Conciseness

Mostly efficient and domain-specific, but the ~220-line body restates some knowledge Claude already has (the Key Concepts table defines 'SHA-1 Hash', 'NSRL') and carries heavily commented code blocks that could be trimmed.

2 / 3

Actionability

Fully executable, copy-paste-ready guidance throughout — AmcacheParser.exe invocations with flags, PowerShell hash-extraction pipelines, Timeline Explorer filters, and vt-cli/CIRCL lookups, all with concrete arguments.

3 / 3

Workflow Clarity

A clearly sequenced 7-step pipeline (acquire → parse → analyze → correlate → program entries → drivers → timeline) closes with a 9-item Verification checklist that provides explicit validation checkpoints for this batch analysis.

3 / 3

Progressive Disclosure

The body is a long monolith with good internal sectioning, but the existing bundle files (references/api-reference.md, scripts/agent.py) are never linked or signaled from the body and some inline content (registry keys, suspicious indicators) duplicates the reference file.

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, specific description that clearly states what the skill does and when it should activate, with concrete actions and natural trigger terms for its forensic audience. It is a touch verbose but every clause earns its place.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'extract evidence of program execution, application installation, and driver loading', 'artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction' — rather than vague language.

3 / 3

Completeness

Explicitly answers both what ('Parses and analyzes the Windows Amcache.hve registry hive to extract evidence...') and when ('Activates for requests involving...'), with an explicit trigger clause.

3 / 3

Trigger Term Quality

Covers natural phrasings a DFIR user would say — 'Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation' — with good variation rather than pure jargon.

3 / 3

Distinctiveness Conflict Risk

The Amcache.hve / application-compatibility-cache niche is highly specific with distinct triggers, making it unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.