CtrlK
BlogDocsLog inGet started
Tessl Logo

yara-rule-authoring

Guides authoring of high-quality YARA-X detection rules for malware identification. Use when writing, reviewing, or optimizing YARA rules. Covers naming conventions, string selection, performance optimization, migration from legacy YARA, and false positive reduction. Triggers on: YARA, YARA-X, malware detection, threat hunting, IOC, signature, crx module, dex module.

91

1.61x
Quality

Does it follow best practices?

Impact

100%

1.61x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with strong workflows and expert decision-making content, but it is somewhat verbose with repeated summary sections and contains dead references to nonexistent workflows/ and examples/ paths that weaken navigation.

Suggestions

Either create the referenced workflows/rule-development.md and examples/ directory with the listed files, or remove those table entries and inline links so all signaled references resolve.

Consolidate the redundant guidance that recurs across Core Principles, Common Mistakes, Performance Optimization, Quick Reference, and the Multi-Indicator Clustering Pattern into a single authoritative location to reduce repetition.

Verify the ../../README.md#scripts link resolves from the skill's location, or replace it with in-skill script documentation.

DimensionReasoningScore

Conciseness

The body is dense with genuinely expert, non-obvious content (decision trees, rationalizations, atom theory) and avoids basic-concept filler, but guidance is repeated across Core Principles, Common Mistakes, Performance Optimization, Quick Reference, and the trailing Multi-Indicator Clustering Pattern, so it could be tightened beyond the score-3 lean anchor.

2 / 3

Actionability

Executable YARA code blocks, concrete yr/uv run commands, specific hex patterns, named scripts with invocation syntax, and a copy-paste-ready checklist provide fully actionable guidance rather than pseudocode or vague direction.

3 / 3

Workflow Clarity

The Workflow section gives a 7-step sequence with explicit validation checkpoints (yr check, yr fmt, linter, goodware validation) plus an FP-debugging feedback loop, matching the clear-sequence-with-validation anchor; the validation presence avoids the score-2 cap.

3 / 3

Progressive Disclosure

Structure is good with a Reference Documents table and real, one-level-deep reference files, but referenced paths workflows/rule-development.md, the entire examples/ directory, and ../../README.md do not exist, so the signaled navigation leads to dead links and cannot reach the easy-navigation score-3 anchor.

2 / 3

Total

10

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, third-person, and answers both what and when with an explicit trigger list. It is a strong, low-conflict description that needs no changes.

DimensionReasoningScore

Specificity

Lists multiple concrete actions ("writing, reviewing, or optimizing YARA rules") plus enumerated coverage areas (naming, string selection, performance, migration, FP reduction), matching the multiple-specific-actions anchor rather than the partial score-2 anchor.

3 / 3

Completeness

Clearly answers both what (authoring high-quality YARA-X detection rules and named sub-tasks) and when (explicit "Use when..." clause plus a "Triggers on:" list), avoiding the score-2 cap for a missing Use-when clause.

3 / 3

Trigger Term Quality

Explicit trigger list ("YARA, YARA-X, malware detection, threat hunting, IOC, signature, crx module, dex module") covers natural terms a user would say, beyond the some-keywords score-2 anchor.

3 / 3

Distinctiveness Conflict Risk

A clear niche (YARA-X detection rules) with distinct triggers such as crx module and dex module makes conflict with other skills unlikely, matching the distinct-niche anchor.

3 / 3

Total

12

/

12

Passed

Validation

87%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation14 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

skill_md_line_count

SKILL.md is long (646 lines); consider splitting into references/ and linking

Warning

relative_links

Relative link issues: 7 missing, 1 suspicious

Warning

Total

14

/

16

Passed

Repository
trailofbits/skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.