analyzing-windows-registry-for-artifacts
Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.
63
55%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-windows-registry-for-artifacts/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is strong in specificity and distinctiveness, clearly identifying a forensic analysis niche around Windows Registry hives with concrete artifact types. Its main weaknesses are the absence of an explicit 'Use when...' clause and missing some natural trigger term variations that users might employ when requesting this type of analysis.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about Windows Registry forensics, registry hive analysis, or investigating artifacts from NTUSER.DAT, SAM, SYSTEM, or SOFTWARE hives.'
Include additional natural trigger terms and file references users might mention, such as 'NTUSER.DAT', 'SAM hive', 'SYSTEM hive', 'SOFTWARE hive', 'registry forensics', 'RegRipper', or '.reg files'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Extract and analyze Windows Registry hives' with specific outputs including 'user activity, installed software, autostart entries, and evidence of system compromise.' | 3 / 3 |
Completeness | Clearly answers 'what does this do' (extract and analyze registry hives for specific artifacts), but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes good domain-specific terms like 'Windows Registry hives', 'autostart entries', 'installed software', and 'system compromise', but misses common user variations like 'registry forensics', 'NTUSER.DAT', 'SAM', 'SYSTEM hive', 'regedit', or 'registry analysis'. | 2 / 3 |
Distinctiveness Conflict Risk | Very clear niche focused specifically on Windows Registry hive analysis for forensic purposes. Unlikely to conflict with other skills due to the highly specific domain of registry forensics. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill excels in actionability with complete, executable code examples for registry forensics analysis. However, it is significantly over-verbose, explaining concepts Claude already knows (registry hive definitions, tool descriptions) and inlining reference material that should be in separate files. The workflow lacks validation checkpoints critical for forensic integrity, such as verifying hive integrity after extraction or confirming RegRipper output is non-empty.
Suggestions
Remove the 'Key Concepts' and 'Tools & Systems' tables or move them to a separate REFERENCE.md file — Claude already knows what registry hives and MRU lists are.
Move 'Common Scenarios' and 'Output Format' to separate files (e.g., SCENARIOS.md, OUTPUT_FORMAT.md) and link to them from the main skill.
Add validation checkpoints: verify hive integrity after extraction (e.g., check file sizes, run a quick parse test), verify RegRipper output is non-empty, and validate python-registry can open each hive before proceeding.
Trim the 'When to Use' and 'Prerequisites' sections — these describe obvious forensic contexts that don't need enumeration.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~200+ lines. The 'Key Concepts' table explains things Claude already knows (what a registry hive is, what MRU means, what 'Last Write Time' is). The 'When to Use' and 'Prerequisites' sections add padding. The Tools & Systems table describes obvious tool purposes. Much of this could be cut in half while preserving all actionable content. | 1 / 3 |
Actionability | The skill provides fully executable bash commands and Python scripts throughout. Code is copy-paste ready with specific file paths, tool invocations, and complete Python scripts using python-registry for parsing UserAssist, autorun keys, etc. The RegRipper commands include specific plugin names and output redirection. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (extract → analyze → persistence → user activity → system info), but there are no validation checkpoints. After extracting hives, there's no verification that hives are valid/uncorrupted. After running RegRipper, there's no check for errors or empty output. The hashing step in Step 1 is good but there's no instruction to verify hashes later. For forensic operations where data integrity is critical, the lack of validation feedback loops is notable. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with no references to external files. The Key Concepts table, Tools & Systems table, Common Scenarios section, and Output Format could all be split into separate reference files. Everything is inline in one massive document, making it expensive to load for simple tasks. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.