CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-windows-shellbag-artifacts

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.

62

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with real SBECmd commands and concrete forensic scenarios, but it suffers from boilerplate padding, a missing sequenced workflow with validation, and orphaned bundle files that are never linked from the body.

Suggestions

Replace the scenario-only structure with an explicit numbered investigation workflow (extract hives -> parse with SBECmd -> verify CSV output -> filter/correlate -> document) and surface references/workflows.md via a link.

Link the bundle files from the body, e.g. 'See references/api-reference.md for shell item type bytes and regipy usage' and 'Use assets/template.md for the case report', instead of relying on the unlinked references/ directory.

Trim the example output block and the generic 'When to Use'/'Prerequisites' boilerplate to reduce token overhead while keeping the executable commands.

DimensionReasoningScore

Conciseness

The Overview's forensic context earns its place, but generic templated boilerplate ('When investigating security incidents that require analyzing windows shellbag artifacts') and a ~50-line example output block add padding that could be tightened, placing it at the 'mostly efficient but includes some unnecessary explanation' anchor.

2 / 3

Actionability

Provides fully executable, copy-paste-ready commands ('SBECmd.exe -d "C:\Evidence\Registry" --csv C:\Output --csvf shellbags.csv', '--live') with documented output columns and concrete GUI steps, matching the score-3 anchor.

3 / 3

Workflow Clarity

The investigation is shown as scenarios rather than a sequenced workflow with validation checkpoints, and no verification steps are given for hive extraction or CSV output; the actual sequenced workflow exists only in the unlinked references/workflows.md, so per the batch-operation guideline workflow clarity is capped at 2.

2 / 3

Progressive Disclosure

Bundle files exist (references/, scripts/, assets/) but the body never signals or links to them — the References section points only to external URLs — and content that should be split (the long example output, registry-location tables duplicated in api-reference.md) is inline, matching the 'references present but not clearly signaled' anchor.

2 / 3

Total

9

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and distinctive with good natural trigger terms, but it omits any explicit 'Use when...' trigger guidance, capping its completeness. Adding a trigger clause would raise it to a top-tier description.

Suggestions

Add an explicit 'Use when...' clause, e.g. 'Use when investigating folder access history, USB/removable media browsing, or network share activity from Windows registry hives.'

Include common user-facing variations such as 'USB drives', 'folder access history', and 'BagMRU' to broaden trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ('reconstruct folder browsing activity', 'detect access to removable media and network shares', 'establish user interaction with directories even after deletion') and names specific tools (SBECmd, ShellBags Explorer), matching the score-3 anchor for multiple specific concrete actions.

3 / 3

Completeness

Clearly answers 'what' the skill does, but there is no 'Use when...' clause or equivalent explicit trigger guidance, so per the judging guidelines completeness is capped at 2.

2 / 3

Trigger Term Quality

Includes natural domain terms a DFIR analyst would say ('Shellbag', 'registry artifacts', 'removable media', 'network shares', 'SBECmd', 'ShellBags Explorer'); coverage is strong, above the 'some relevant keywords but missing common variations' anchor.

3 / 3

Distinctiveness Conflict Risk

Targets a clear niche (Windows Shellbag forensics) with distinct tool-specific triggers, making it unlikely to fire for the wrong skill.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.