analyzing-windows-amcache-artifacts
Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
72
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a narrow forensic analysis domain with specific actions, tools, and trigger conditions. It uses appropriate third-person voice, lists concrete capabilities, and provides explicit activation criteria. The description is concise yet comprehensive, covering what the skill does, how it does it, and when it should be used.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'parses and analyzes the Windows Amcache.hve registry hive', 'extract evidence of program execution, application installation, and driver loading', 'SHA-1 hash correlation with threat intel', 'timeline reconstruction'. Also names specific tools (AmcacheParser, Timeline Explorer). | 3 / 3 |
Completeness | Clearly answers 'what' (parses Amcache.hve, extracts execution/installation/driver evidence, correlates hashes, reconstructs timelines) and 'when' with explicit triggers ('Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensics analyst would use: 'Amcache.hve', 'registry hive', 'program execution', 'digital forensics', 'AmcacheParser', 'Timeline Explorer', 'SHA-1 hash', 'threat intel', 'Windows artifact analysis', 'application compatibility cache'. Good coverage of domain-specific terms users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche targeting a specific Windows forensic artifact (Amcache.hve) with specific tools and techniques. Very unlikely to conflict with other skills due to the narrow, specialized domain. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable forensics skill with excellent workflow clarity and concrete, executable commands throughout. Its main weakness is moderate verbosity—the Key Concepts glossary and some explanatory text could be trimmed since Claude understands these fundamentals. The lack of bundle files means all content is inline, which is acceptable but could benefit from splitting reference material into separate files for a skill of this length.
Suggestions
Remove or significantly trim the Key Concepts table—Claude already understands SHA-1 hashes, transaction logs, and similar concepts; keep only Amcache-specific forensic nuances.
Consider extracting the detailed column listings and filter criteria into a separate REFERENCE.md file to reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some unnecessary verbosity. The Key Concepts table explains terms like 'SHA-1 Hash' and 'Transaction Logs' that Claude already knows. The 'When to Use' section is somewhat lengthy with six bullet points plus a caveat. However, the workflow steps themselves are fairly efficient and domain-specific enough to justify their length. | 2 / 3 |
Actionability | The skill provides fully executable PowerShell commands for each step, specific tool invocations with real flags (e.g., AmcacheParser.exe -f ... --csv ..., -w, -b, -i, --mp), concrete column names to examine, specific filter criteria, and real API endpoints for hash lookups. The commands are copy-paste ready and cover multiple scenarios. | 3 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced from acquisition through parsing, analysis, correlation, and timeline building. The verification checklist at the end serves as an explicit validation checkpoint. Each step builds logically on the previous one, and the skill includes important caveats like collecting transaction logs and not using Amcache as sole proof of execution. | 3 / 3 |
Progressive Disclosure | The content is a monolithic document with no references to supporting files. While the content is well-organized with clear headers, the Key Concepts table, detailed column listings, and extensive filtering examples could be split into reference files. For a skill of this length (~180+ lines of substantive content), some progressive disclosure into separate reference documents would be appropriate. However, no bundle files exist to reference. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.