incident-triage
Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.
68
83%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger term coverage and completeness, clearly answering both what the skill does and when to use it. The main weakness is that the 'what' portion could be more specific about the concrete actions performed beyond 'triage and initial response.' The NIST SP 800-61 reference and extensive trigger terms make it highly distinctive and unlikely to conflict with other skills.
Suggestions
Expand the capability description with more concrete actions, e.g., 'classify incident severity, identify indicators of compromise, recommend containment strategies, document incident timelines' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (security incidents) and mentions specific actions like 'rapid triage' and 'initial response,' and references a specific methodology (NIST SP 800-61). However, it doesn't list multiple concrete actions beyond triage and initial response — it lacks specifics like 'classify severity levels, document indicators of compromise, recommend containment steps.' | 2 / 3 |
Completeness | Clearly answers both 'what' (guide rapid triage and initial response to security incidents following NIST SP 800-61) and 'when' (explicit 'Use when...' clause with a comprehensive list of trigger scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would actually say: 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' and 'security event.' These span both technical and colloquial language. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche — security incident triage and initial response using NIST SP 800-61. The specific trigger terms like 'IOC,' 'breach,' 'we've been hacked,' and the NIST methodology reference make it highly distinguishable from general security or IT skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable incident response skill with a well-sequenced workflow and concrete, executable commands. Its main weaknesses are moderate verbosity (especially the cross-references block and some classifications Claude already knows) and a monolithic structure that could benefit from splitting detailed reference material into separate files. The output template and boundaries section are excellent additions that make this highly practical.
Suggestions
Trim the cross-references into a compact bullet list or table rather than a dense paragraph, and move detailed classification lists (malware subtypes, severity definitions) to a separate reference file since Claude already understands these concepts.
Remove explanatory parentheticals like '(most volatile first)' and category examples that Claude already knows (e.g., 'ransomware, trojan, worm, cryptominer') to improve token efficiency.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The cross-references paragraph at the top is verbose and could be a compact list. The priorities section and some explanations (e.g., what malware types are, what IOC types mean) explain things Claude already knows. However, the core workflow steps are reasonably tight and the tables/commands are efficient. | 2 / 3 |
Actionability | Provides fully executable bash commands for evidence collection on both Linux and Windows, specific containment actions by category, a complete output template with tables and checklists, and concrete IOC extraction guidance. The skill is copy-paste ready for real incident response. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced with logical ordering (classify → contain → preserve → analyze → extract IOCs). Critical validation checkpoints are present (e.g., 'Do NOT power off systems,' volatility ordering for evidence, escalation checklist). The output format includes status tracking and checklists for verification. | 3 / 3 |
Progressive Disclosure | The cross-references mention many related skills (disk-forensics, siem-detection, etc.) but none are actual files in a bundle. The content is somewhat monolithic — the output template, IOC table, and evidence commands could be split into referenced files. However, the sections are well-organized with clear headers. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
c9ade03
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.