analyzing-windows-shellbag-artifacts
Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-windows-shellbag-artifacts/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description targeting a clear forensic analysis niche with concrete actions and tool names. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The domain-specific terminology provides excellent distinctiveness.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about Shellbag analysis, Windows registry forensics, folder access history, or needs to parse Shellbag artifacts with SBECmd or ShellBags Explorer.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'reconstruct folder browsing activity', 'detect access to removable media and network shares', 'establish user interaction with directories even after deletion'. Also names specific tools: SBECmd and ShellBags Explorer. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific capabilities and tools, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied by the nature of the described actions. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a forensic analyst would use: 'Shellbag', 'registry artifacts', 'folder browsing activity', 'removable media', 'network shares', 'SBECmd', 'ShellBags Explorer'. These are the exact terms someone working in digital forensics would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche in Windows Shellbag forensic analysis with specific tool names (SBECmd, ShellBags Explorer) and domain-specific terminology. Very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a forensic reference document or blog post than an actionable skill for Claude. It spends excessive tokens explaining concepts (what Shellbags are, how they persist) and providing illustrative scenarios rather than defining clear procedures. The tool commands are useful but lack a cohesive workflow connecting evidence acquisition, parsing, analysis, and reporting.
Suggestions
Remove explanatory prose about what Shellbags are and how they work — Claude knows this. Focus the body on tool commands, analysis steps, and interpretation patterns.
Define a clear numbered workflow: 1) Identify/extract registry hives, 2) Parse with SBECmd, 3) Filter/analyze CSV output for specific indicators, 4) Correlate with other artifacts, 5) Report findings — with validation at each step.
Replace the verbose forensic scenario descriptions with concise pattern-matching rules (e.g., 'ShellType=Network + new first-access during incident window → lateral movement indicator').
Move the large example output and BagMRU structure details to separate reference files, keeping only a compact quick-start and key analysis patterns in the main skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose, explaining what Shellbags are, how they work, and forensic concepts Claude already knows. The BagMRU structure section, forensic investigation scenarios with explanatory prose ('This proves the user navigated to...'), and the lengthy example output all consume significant tokens without adding actionable value. The 'When to Use' and 'Prerequisites' sections are generic boilerplate. | 1 / 3 |
Actionability | The SBECmd commands are concrete and executable, which is good. However, the forensic investigation scenarios are descriptive text blocks rather than actionable procedures, and there's no guidance on how to actually analyze or filter the CSV output, correlate with other artifacts programmatically, or build detection rules despite claiming that as a use case. | 2 / 3 |
Workflow Clarity | There is no clear multi-step workflow or sequenced investigation process. The content presents isolated tool commands and descriptive scenarios but never defines a step-by-step analysis procedure with validation checkpoints. For forensic analysis involving evidence integrity, the lack of any verification steps (e.g., hash verification, validating hive integrity before parsing) is a significant gap. | 1 / 3 |
Progressive Disclosure | The content has reasonable section headers and a registry location table that aids navigation. However, it's monolithic — the massive example output block and detailed BagMRU structure explanation could be in separate reference files. The References section links to external resources but there's no internal file structure for progressive depth. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.