close-case-artifact
Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause.
83
80%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/close-case-artifact/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, well-crafted skill description that clearly defines the action (closing cases/alerts), the trigger conditions (post-triage FP/BTP determination or investigation completion), and the required inputs. It uses domain-appropriate terminology that security analysts would naturally use, and its narrow scope makes it highly distinguishable from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists specific concrete actions: closing a case or alert, providing proper reason and documentation. Also specifies required parameters: artifact ID, type, closure reason, and root cause. | 3 / 3 |
Completeness | Clearly answers both what ('Close a case or alert with proper reason and documentation') and when ('Use when triage determines an alert is FP/BTP or investigation is complete'), with explicit trigger conditions and required inputs. | 3 / 3 |
Trigger Term Quality | Includes natural trigger terms users would say: 'close', 'case', 'alert', 'FP', 'BTP', 'triage', 'closure reason', 'root cause', 'investigation complete'. These are terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive — focuses specifically on closing/resolving security cases and alerts with specific closure workflows (FP/BTP determination). Unlikely to conflict with other skills due to the narrow, well-defined scope around case closure in a security operations context. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
60%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill is well-structured and concise, with clear input definitions and a useful closure patterns reference table. However, it lacks validation steps critical for a destructive operation—there's no verification that the artifact exists, that the root cause is valid, or that the closure succeeded. The code examples are also pseudocode rather than fully executable.
Suggestions
Add a pre-closure validation step to verify the artifact exists and the root cause is valid (e.g., call get_case_settings_root_causes() first and confirm the root cause matches before closing).
Add a post-closure verification step to check CLOSURE_STATUS and define error recovery behavior if closure fails.
Specify the code block language (e.g., ```python) and make examples more executable with complete calling context.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. It doesn't explain what cases or alerts are, assumes Claude understands SOAR concepts, and every section serves a clear purpose. The closure patterns table adds value without being verbose. | 3 / 3 |
Actionability | The code blocks show specific function calls with named parameters, which is helpful, but they are pseudocode-style (no language specified, no imports, no complete executable context). The enum values and parameter names are concrete and specific, but the examples aren't fully copy-paste ready. | 2 / 3 |
Workflow Clarity | The workflow is a single step ('Execute Closure') with no validation or verification. For a destructive operation (closing a case/alert), there's no validation checkpoint—no step to verify the artifact exists, confirm the root cause is valid before calling close, or verify the closure succeeded. Missing feedback loops for a destructive operation should cap this at 2, and the lack of even basic verification steps drops it to 1. | 1 / 3 |
Progressive Disclosure | For a skill of this size and scope, the content is well-organized with clear sections (Inputs, Workflow, Outputs, Common Patterns, Root Causes). No unnecessary nesting or external references needed; the structure is appropriate for the complexity level. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.