analyzing-windows-shellbag-artifacts
Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.
48
52%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-windows-shellbag-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description for a niche digital forensics skill. It clearly articulates concrete capabilities and names specific tools, making it very distinctive. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill.
Suggestions
Add a 'Use when...' clause such as 'Use when the user asks about Shellbag analysis, Windows registry forensics, folder access history, or mentions SBECmd or ShellBags Explorer.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'reconstruct folder browsing activity', 'detect access to removable media and network shares', 'establish user interaction with directories even after deletion'. Also names specific tools: SBECmd and ShellBags Explorer. | 3 / 3 |
Completeness | The 'what' is thoroughly covered with specific capabilities and tools, but there is no explicit 'Use when...' clause or equivalent trigger guidance telling Claude when to select this skill. The rubric caps completeness at 2 when this is missing. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensic analyst would use: 'Shellbag', 'registry artifacts', 'folder browsing activity', 'removable media', 'network shares', 'SBECmd', 'ShellBags Explorer'. These are the exact terms someone working in digital forensics would mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on Windows Shellbag registry artifacts with named tools (SBECmd, ShellBags Explorer). This is unlikely to conflict with any other skill given its very specific forensic domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides useful reference information about shellbag artifacts and includes concrete tool commands, but it is significantly too verbose, explaining concepts Claude already knows and including lengthy illustrative text blocks. It lacks a coherent investigative workflow with validation steps, and the forensic scenarios describe rather than instruct. The content would benefit greatly from being restructured into a lean overview with actionable steps and separated reference material.
Suggestions
Remove the explanatory overview paragraph and 'When to Use'/'Prerequisites' boilerplate — Claude knows what shellbags are and doesn't need generic prerequisites listed.
Add a clear numbered investigation workflow: acquire registry hives → parse with SBECmd → filter CSV for incident timeframe → correlate with USBSTOR/MountPoints2 → validate findings → document conclusions.
Replace the verbose forensic scenario text blocks with a concise table or pattern-matching guide (e.g., 'ShellType=Network + new first-access during incident window → lateral movement indicator').
Trim the example output to ~15 lines showing the most forensically relevant sections, and move the full example to a separate reference file if needed.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. It explains what shellbags are at length (Claude already knows this), includes generic prerequisites ('Familiarity with digital forensics concepts'), boilerplate 'When to Use' sections, and extensive example output that could be drastically shortened. The forensic investigation scenarios are largely explanatory prose restating what the shellbag path already shows. | 1 / 3 |
Actionability | The SBECmd commands are concrete and executable, and the registry location table is useful reference material. However, the forensic investigation scenarios are descriptive text blocks rather than actionable procedures, and there's no guidance on how to actually interpret or correlate findings programmatically (e.g., Python scripts for parsing CSV output, correlation with USBSTOR entries). | 2 / 3 |
Workflow Clarity | There is no clear multi-step investigation workflow with sequenced steps and validation checkpoints. The content presents isolated tool commands and descriptive scenarios but never ties them into a coherent process (e.g., acquire hives → parse → filter timeline → correlate with other artifacts → validate findings). For forensic analysis involving evidence integrity, the lack of any verification or validation steps is a significant gap. | 1 / 3 |
Progressive Disclosure | The content has reasonable section headers and some structure, but it's monolithic — the lengthy example output, registry structure details, and forensic scenarios could be split into separate reference files. There are no bundle files and no internal cross-references to supplementary materials. The external references section is helpful but doesn't compensate for the inline verbosity. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.