analyzing-windows-lnk-files-for-artifacts
Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers for forensic timeline reconstruction.
55
62%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-windows-lnk-files-for-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, specific description that clearly identifies a narrow forensic analysis domain with concrete actions and good natural trigger terms. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. Adding that clause would make this description excellent.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about parsing .lnk files, analyzing Windows shortcuts, or performing forensic analysis on shortcut artifacts.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: parse LNK files, extract target paths, timestamps, volume information, machine identifiers, and forensic timeline reconstruction. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (parse LNK files, extract various metadata for forensic timeline reconstruction), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'LNK', 'shortcut files', 'Windows', 'forensic', 'timeline reconstruction', 'target paths', 'timestamps', 'volume information', 'machine identifiers'. These cover the domain well. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche: Windows LNK shortcut file parsing for forensic analysis. Very unlikely to conflict with other skills due to the specific file format and forensic use case. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable code for LNK file forensic analysis, which is its primary strength. However, it is excessively verbose with unnecessary concept explanations, tool reference tables, and descriptive scenario sections that Claude doesn't need. The monolithic structure with no external references and missing validation checkpoints in the forensic workflow significantly reduce its quality.
Suggestions
Remove the Key Concepts table, Tools & Systems table, and Common Scenarios section — these explain things Claude already knows and add ~80 lines of low-value content.
Add validation checkpoints: verify file counts after collection, check hash integrity, validate parsing output before proceeding to analysis.
Extract the Python parsing script and analysis script into separate bundle files (e.g., parse_lnk.py, analyze_lnk.py) and reference them from the main skill.
Consolidate Steps 2 and 3 — presenting both LECmd and Python parsing as separate workflow steps is redundant; pick one as primary and briefly mention the alternative.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what LNK files are, what Jump Lists are, what volume serial numbers are), includes a full reference table of tools with descriptions, and the 'Common Scenarios' section is entirely descriptive prose that adds no actionable value. The Key Concepts table explains basic forensic concepts that don't need definition. | 1 / 3 |
Actionability | The skill provides fully executable bash commands and Python scripts that are copy-paste ready. The LECmd commands, Python LnkParse3 parsing code, and analysis scripts are concrete and complete with specific field extraction, CSV output, and filtering logic. | 3 / 3 |
Workflow Clarity | The four steps are clearly sequenced (collect → parse with LECmd → parse with Python → analyze), but there are no validation checkpoints. No verification that LNK files were successfully copied, no hash verification after collection, no check that parsing succeeded before analysis. For forensic operations where evidence integrity matters, the lack of validation steps is a significant gap. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files. Everything is inline including tool reference tables, common scenarios, and detailed Python scripts that could be separate files. There's no bundle structure to support progressive disclosure, and the content doesn't attempt to organize into overview vs. detail layers. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.