CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-windows-lnk-files-for-artifacts

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with executable code and a clear workflow, but it is held back by duplicated content that belongs in the existing bundle files, a missing validation checkpoint for the batch parse, and some explanation of concepts Claude already knows.

Suggestions

Replace the inline Step 3 parser and JSON structure with pointers to references/api-reference.md and scripts/agent.py (e.g., "See references/api-reference.md for the LNK JSON structure; run scripts/agent.py --lnk-dir ... for automated parsing") to remove duplication and improve progressive disclosure.

Add an explicit validation checkpoint after parsing, e.g. compare the count of collected .lnk files against parsed rows and confirm the CSV is non-empty before proceeding to analysis.

Trim the "Key Concepts" table to only forensic-specific nuances Claude would not already know, removing definitions of basic terms like "Shell Link (.lnk)".

DimensionReasoningScore

Conciseness

The body is mostly efficient and actionable, but the large inline Python parsing script in Step 3 duplicates scripts/agent.py and references/api-reference.md, and the "Key Concepts" table explains basic LNK/shell-link concepts Claude already knows, so it could be tightened.

2 / 3

Actionability

Provides fully executable bash collection commands, LECmd/JLECmd invocations, and a complete copy-paste-ready Python parser with concrete field extraction, matching the level-3 anchor.

3 / 3

Workflow Clarity

Steps are clearly sequenced (collect → parse → analyze), but this batch parsing operation has no explicit validation/verification checkpoint (e.g., confirming parsed count matches collected count or that the CSV is non-empty), which per the guidelines caps workflow clarity at 2.

2 / 3

Progressive Disclosure

Bundle files references/api-reference.md and scripts/agent.py exist but are never referenced or signaled from the body, and their content (LNK JSON structure, parsing/analysis logic) is duplicated inline, fitting the level-2 anchor of content that should be separate being inline.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, third-person, and distinctive with good domain trigger terms, but it omits an explicit "Use when..." trigger clause, leaving the "when to use" dimension only implied and capping completeness at 2.

Suggestions

Append an explicit trigger clause, e.g. "Use when reconstructing user file access from Windows LNK/shortcut files, Jump Lists, or when the user mentions LNK files, Recent items, or shortcut artifacts."

Add common user-facing variations ("shortcuts", "Jump Lists", "Recent files") to broaden natural trigger coverage.

DimensionReasoningScore

Specificity

"Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers" lists multiple concrete actions rather than vague language, matching the level-3 anchor.

3 / 3

Completeness

The "what" is clearly stated, but there is no "Use when..." clause or equivalent explicit trigger guidance, which per the judging guidelines caps completeness at 2; the "for forensic timeline reconstruction" phrase hints at purpose but is not an explicit when-trigger.

2 / 3

Trigger Term Quality

It uses natural terms a forensics user would actually say ("LNK shortcut files", "timestamps", "volume information", "forensic timeline reconstruction"), giving good coverage of relevant keywords.

3 / 3

Distinctiveness Conflict Risk

"Parse Windows LNK shortcut files...for forensic timeline reconstruction" carves a clear niche unlikely to overlap with or trigger other skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.