analyzing-windows-shellbag-artifacts
Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-windows-shellbag-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description for a niche digital forensics skill. It clearly articulates concrete capabilities and names specific tools, making it very distinctive. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about Shellbag analysis, Windows registry forensics, folder access history, or needs to parse Shellbag artifacts with SBECmd or ShellBags Explorer.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'reconstruct folder browsing activity', 'detect access to removable media and network shares', 'establish user interaction with directories even after deletion'. Also names specific tools: SBECmd and ShellBags Explorer. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and tools, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The rubric caps completeness at 2 when this is missing. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensic analyst would use: 'Shellbag', 'registry artifacts', 'folder browsing activity', 'removable media', 'network shares', 'SBECmd', 'ShellBags Explorer'. These are the exact terms someone working in digital forensics would mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focusing specifically on Windows Shellbag registry artifacts with named tools (SBECmd, ShellBags Explorer). This is unlikely to conflict with other skills given its very specific forensic domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a forensic reference article or training document than an actionable skill for Claude. It spends significant tokens explaining concepts (what Shellbags are, how they persist, what they prove) rather than providing concise, executable procedures. The example output is impressively detailed but consumes excessive context window space that would be better served by a compact template or separate reference file.
Suggestions
Remove all explanatory prose about what Shellbags are and how they work — Claude already knows this. Keep only the registry location table and tool commands.
Replace the descriptive forensic scenarios with a clear numbered workflow: 1) Extract hives, 2) Run SBECmd with specific flags, 3) Validate output, 4) Correlate with USBSTOR/MountPoints2, 5) Build timeline.
Move the large example output to a separate EXAMPLES.md file and reference it from the main skill, keeping only a 5-line representative sample inline.
Remove the generic 'When to Use' and 'Prerequisites' sections, which add no actionable information for Claude.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose, explaining what Shellbags are, how they work, and basic forensic concepts that Claude already knows. The BagMRU structure section, forensic investigation scenarios with explanatory prose ('This proves the user navigated to...'), and the lengthy example output all consume significant tokens without adding actionable value. The 'When to Use' and 'Prerequisites' sections are generic boilerplate. | 1 / 3 |
Actionability | The SBECmd commands are concrete and executable, and the registry location table is useful reference material. However, the forensic investigation scenarios are descriptive text blocks rather than executable procedures, and there's no actual Python code despite listing Python 3.8+ as a prerequisite. The guidance is more explanatory than instructional. | 2 / 3 |
Workflow Clarity | There is no clear multi-step workflow for conducting a shellbag investigation. The content presents isolated commands and descriptive scenarios but lacks a sequenced process with validation checkpoints. For forensic analysis involving evidence integrity, there should be explicit steps for evidence preservation, hash verification, and output validation. | 1 / 3 |
Progressive Disclosure | The content has reasonable section headers and a registry location table that aids navigation. However, the massive example output block (50+ lines) and detailed BagMRU structure explanation should be in separate reference files. The references section links to external resources but doesn't organize supplementary content into companion files. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.