incident-triage
Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.
68
83%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger term coverage and completeness. The explicit 'Use when...' clause with both technical and colloquial terms is particularly well done. The main area for improvement is in specificity of capabilities—the 'what it does' portion could enumerate more concrete actions beyond 'triage and initial response.'
Suggestions
Expand the capability description to list more specific actions, e.g., 'classify incident severity, recommend containment steps, identify indicators of compromise, document incident timeline, guide evidence preservation.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security incidents) and mentions specific actions like 'rapid triage' and 'initial response,' and references a specific methodology (NIST SP 800-61). However, it doesn't list multiple concrete actions beyond triage and initial response—it could be more specific about what actions it performs (e.g., classify severity, identify containment steps, document timeline, collect IOCs). | 2 / 3 |
Completeness | Clearly answers both 'what' (guide rapid triage and initial response to security incidents following NIST SP 800-61) and 'when' (explicit 'Use when...' clause with a thorough list of trigger scenarios). Both components are well-articulated. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms including both formal terms ('incident response,' 'indicators of compromise,' 'IOC,' 'triage') and colloquial phrases users would actually say ('we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity'). This is comprehensive and covers many natural variations. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche—security incident triage and initial response following a specific framework (NIST SP 800-61). The trigger terms are specific to security incident response and unlikely to conflict with general security skills like vulnerability scanning or penetration testing. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable incident response skill with a clear multi-step workflow, executable commands, and a comprehensive output template. Its main weakness is that it's somewhat long for a single SKILL.md file — the detailed report template and analysis checklists could benefit from being split into separate bundle files. Some of the classification content (incident types, severity levels) is standard knowledge that Claude likely already possesses, though it serves a useful checklist function.
Suggestions
Consider moving the full output report template to a separate TEMPLATE.md file and referencing it from the main skill, reducing the SKILL.md length while preserving the actionable template.
Trim the incident type and severity classification lists to focus on decision-relevant distinctions rather than exhaustive categorization that Claude already knows.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is mostly efficient and well-structured, but includes some information Claude already knows (e.g., basic incident types, what IOCs are, common analysis techniques like checking process trees). The severity classification and incident type lists are somewhat standard knowledge but serve as useful checklists. The output template is lengthy but justified as a concrete deliverable. | 2 / 3 |
Actionability | Provides executable bash commands for evidence collection on both Linux and Windows, specific containment actions by category, a complete markdown report template that's copy-paste ready, and concrete checklists. The guidance is specific and directly usable. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced with logical ordering (classify → contain → preserve → analyze → extract IOCs). The priorities are explicitly ordered, the evidence collection follows volatility order, and the containment step includes a critical validation warning about not powering off systems. The output template includes checklists for tracking completion. | 3 / 3 |
Progressive Disclosure | The content is well-organized with clear sections and headers, but it's a fairly long monolithic document (~150 lines) with no bundle files to offload detailed content. The IOC table, output template, and analysis checklist could be split into separate reference files. The references section lists external documents but doesn't link to any bundle files for deeper guidance. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
2400590
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.