attack-tree-construction

Build comprehensive attack trees to visualize threat paths. Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders.

Quality

62%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./.agent/skills/attack-tree-construction/SKILL.md

Quality

Content

35%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This skill provides a reasonable high-level structure for attack tree construction but critically lacks actionability — there are no concrete examples, no sample attack tree format, no annotation schema, and no output template. The workflow is sequenced but missing validation steps. The skill relies heavily on an external playbook that isn't bundled, making it difficult to assess whether the overall package delivers sufficient guidance.

Suggestions

Add a concrete example of a small attack tree (even 3-4 nodes) showing the AND/OR structure, leaf annotations (cost, skill, time, detectability), and expected output format (e.g., Mermaid diagram, markdown outline, or structured JSON).

Define a specific annotation schema — e.g., a table or template showing exactly what 'cost', 'skill', 'time', and 'detectability' values look like (Low/Med/High? Numeric scales? Dollar amounts?).

Add a validation checkpoint after decomposition — e.g., 'Verify every leaf is a concrete, testable action; if a leaf is still abstract, decompose further.'

Include the referenced `resources/implementation-playbook.md` in the bundle, or inline the most critical patterns/templates so the skill is useful standalone.

Dimension	Reasoning	Score
Conciseness	Mostly efficient but includes some unnecessary sections like 'Do not use this skill when' with somewhat obvious guidance, and the 'Use this skill when' section largely restates the description. The instructions themselves are lean but the surrounding framing adds moderate bloat.	2 / 3
Actionability	The instructions are vague and abstract — 'Decompose into sub-goals with AND/OR structure' and 'Annotate leaves with cost, skill, time, and detectability' provide no concrete examples, no sample attack tree, no specific format or output structure. There is no executable or copy-paste-ready content whatsoever.	1 / 3
Workflow Clarity	Steps are listed in a logical sequence (confirm scope → decompose → annotate → map mitigations → prioritize), but there are no validation checkpoints, no feedback loops for verifying tree completeness or correctness, and no explicit criteria for when a step is 'done' before moving to the next.	2 / 3
Progressive Disclosure	References to `resources/implementation-playbook.md` and `sub-skills/implementation-playbook.md` are present, but no bundle files were provided to verify they exist. The references are one-level deep and clearly signaled, but the skill body itself is too thin — it defers almost all substance to external files without providing enough standalone value.	2 / 3
	Total	7 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a solid description with a clear 'Use when...' clause, good trigger terms, and a distinct niche in attack tree construction. Its main weakness is that the specificity of concrete actions could be improved by listing more discrete capabilities beyond 'build attack trees' and 'visualize threat paths.'

Suggestions

Add more specific concrete actions to improve specificity, e.g., 'enumerate attack vectors, assign risk scores, identify mitigation controls, generate visual tree diagrams.'

Dimension	Reasoning	Score
Specificity	It names the domain (attack trees, threat paths) and a primary action (build comprehensive attack trees), but doesn't list multiple specific concrete actions like 'enumerate threat actors, rank risk severity, generate mitigation recommendations.' The additional phrases like 'visualize threat paths' and 'identifying defense gaps' are somewhat concrete but lean more toward outcomes than discrete actions.	2 / 3
Completeness	Clearly answers both 'what' (build comprehensive attack trees to visualize threat paths) and 'when' (Use when mapping attack scenarios, identifying defense gaps, or communicating security risks to stakeholders) with an explicit 'Use when...' clause.	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'attack trees', 'threat paths', 'attack scenarios', 'defense gaps', 'security risks', 'stakeholders'. These cover the main ways a user would phrase requests in this domain.	3 / 3
Distinctiveness Conflict Risk	Attack trees are a very specific security analysis technique, making this clearly distinguishable from general security skills, threat modeling skills, or risk assessment skills. The trigger terms like 'attack trees' and 'threat paths' are niche enough to avoid conflicts.	3 / 3
	Total	11 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: Dokhacgiakhoa/antigravity-ide
Commit: c4a059b

Reviewed: 5 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.