yara-rule-authoring
Guides authoring of high-quality YARA-X detection rules for malware identification. Use when writing, reviewing, or optimizing YARA rules. Covers naming conventions, string selection, performance optimization, migration from legacy YARA, and false positive reduction. Triggers on: YARA, YARA-X, malware detection, threat hunting, IOC, signature, crx module, dex module.
94
92%
Does it follow best practices?
Impact
100%
1.61xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope, provides specific capabilities, and includes explicit trigger guidance. It covers both the 'what' and 'when' comprehensively, uses domain-appropriate terminology that users would naturally employ, and occupies a clearly distinct niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: authoring YARA-X detection rules, naming conventions, string selection, performance optimization, migration from legacy YARA, and false positive reduction. | 3 / 3 |
Completeness | Clearly answers both 'what' (guides authoring of YARA-X detection rules, covers naming conventions, string selection, performance optimization, migration, false positive reduction) and 'when' (explicit 'Use when writing, reviewing, or optimizing YARA rules' plus a 'Triggers on' clause with specific keywords). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including 'YARA', 'YARA-X', 'malware detection', 'threat hunting', 'IOC', 'signature', plus specific module names like 'crx module' and 'dex module'. These are terms users in this domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche focused specifically on YARA-X detection rules for malware identification. The domain-specific terminology (YARA-X, crx module, dex module, IOC) makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality, comprehensive YARA-X rule authoring skill with excellent actionability and progressive disclosure. The decision trees, concrete examples, and clear workflow make it immediately useful. The main weakness is length — some sections (rationalizations table, redundant platform coverage) could be trimmed or moved to reference files to improve token efficiency, though the content itself is valuable.
Suggestions
Consider moving the 'Rationalizations to Reject' table and some of the more detailed decision trees (e.g., JavaScript Detection Decision Tree, macOS section) to reference files to reduce the main skill's token footprint while preserving the information.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but quite long (~500+ lines). While most content is actionable, there's some redundancy (e.g., the 'Rationalizations to Reject' table is extensive, macOS patterns appear in both the platform table and a dedicated section, and the 'When to Use/When NOT to Use' sections explain things Claude can infer). However, it avoids explaining basic concepts and most content earns its place. | 2 / 3 |
Actionability | Excellent actionability throughout: executable YARA rule examples, specific CLI commands (yr check, yr scan, yr fmt, yr dump), concrete hex patterns, real tool invocations (yarGen, FLOSS), and copy-paste ready code blocks. Decision trees provide specific, concrete guidance for common scenarios. | 3 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced with validation checkpoints (yr check, yr fmt, goodware validation). The rule development cycle includes explicit validation steps, the FP debugging flow has clear decision points, and the quality checklist serves as a final verification gate. Destructive/batch operations aren't relevant here, but the feedback loops for rule quality are well-defined. | 3 / 3 |
Progressive Disclosure | Excellent progressive disclosure: the main skill provides an overview with clear references to one-level-deep documents (references/style-guide.md, references/performance.md, references/strings.md, references/testing.md, references/crx-module.md, references/dex-module.md, workflows/rule-development.md, examples/). Navigation is well-organized with reference tables and inline links at appropriate points. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (646 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- trailofbits/skills
- Commit
540111a
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.