analyzing-windows-amcache-artifacts
Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a narrow forensic analysis domain with specific actions, tools, and trigger conditions. It uses appropriate third-person voice, lists concrete capabilities, and provides explicit activation criteria. The description is concise yet comprehensive, covering both the 'what' and 'when' effectively with strong domain-specific trigger terms.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'parses and analyzes the Windows Amcache.hve registry hive', 'extract evidence of program execution, application installation, and driver loading', 'SHA-1 hash correlation with threat intel', 'timeline reconstruction'. Also names specific tools (AmcacheParser, Timeline Explorer). | 3 / 3 |
Completeness | Clearly answers 'what' (parses Amcache.hve, extracts execution/installation/driver evidence, correlates hashes, reconstructs timelines) and 'when' with an explicit trigger clause: 'Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.' | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensics analyst would use: 'Amcache.hve', 'registry hive', 'program execution', 'digital forensics', 'AmcacheParser', 'Timeline Explorer', 'SHA-1 hash', 'threat intel', 'Windows artifact analysis', 'application compatibility cache'. Good coverage of domain-specific terms users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche targeting a specific Windows forensic artifact (Amcache.hve) with specific tools and techniques. Very unlikely to conflict with other skills given the narrow forensics domain and specific artifact focus. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, highly actionable forensic analysis skill with clear step-by-step workflows, executable commands, and a comprehensive verification checklist. Its main weaknesses are moderate verbosity (the Key Concepts table explains things Claude already knows, and some sections could be tighter) and the lack of progressive disclosure for what is a fairly lengthy document. The domain-specific forensic knowledge and concrete tool usage make it genuinely valuable.
Suggestions
Remove or significantly trim the Key Concepts table—terms like 'SHA-1 Hash' and 'Transaction Logs' don't need definitions for Claude. Keep only truly domain-specific terms like 'Associated File Entry' or 'NSRL'.
Consider splitting detailed analysis sections (Steps 4-6) into separate reference files and linking to them from the main skill, keeping the SKILL.md as a concise overview with the core workflow.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably well-structured but includes some unnecessary verbosity. The Key Concepts table explains terms like 'SHA-1 Hash' and 'Transaction Logs' that Claude already knows. The 'When to Use' section is somewhat lengthy with six bullet points plus a caveat. However, most content is domain-specific forensic knowledge that adds value. | 2 / 3 |
Actionability | The skill provides fully executable PowerShell commands for each step, specific tool flags (e.g., AmcacheParser.exe -f, -w, -b, --csv, -i, --mp), concrete column names to examine, specific filter criteria, and real tool names with real APIs (VirusTotal, CIRCL hashlookup). The commands are copy-paste ready. | 3 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced from acquisition through parsing, analysis, correlation, and timeline building. The verification checklist at the end serves as an explicit validation checkpoint. Each step builds logically on the previous one, and the skill includes guidance on what to look for at each stage (e.g., unsigned executables, suspicious paths, timestomping detection). | 3 / 3 |
Progressive Disclosure | The content is well-organized with clear headers and logical sections, but it's a monolithic document with no references to external files for advanced topics. The driver analysis, hash correlation, and timeline building sections could be split into separate reference files. For a skill of this length (~180+ lines of substantive content), some progressive disclosure to external files would improve navigability. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.