deep-dive-ioc
Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation.
73
67%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/deep-dive-ioc/SKILL.mdQuality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its scope (exhaustive IOC analysis), lists specific actions (GTI pivoting, SIEM searches, correlation, attribution), and explicitly states when to use it (Tier 2+ escalated investigations). Its main weakness is that trigger terms lean heavily on technical jargon, which may not match how all users naturally phrase their requests, and it could benefit from mentioning specific IOC types (IPs, hashes, domains, URLs).
Suggestions
Add natural-language trigger terms and common IOC types users might mention, e.g., 'IP address', 'file hash', 'domain', 'URL', 'suspicious indicator', 'deep dive investigation'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution.' Also specifies 'exhaustive analysis of a critical IOC' and 'Tier 2+ investigation beyond basic enrichment.' | 3 / 3 |
Completeness | Clearly answers both what ('exhaustive analysis including GTI pivoting, deep SIEM searches, correlation, threat attribution') and when ('when an IOC needs Tier 2+ investigation beyond basic enrichment', 'for escalated IOCs requiring comprehensive investigation'). The 'Use when' clause is explicit. | 3 / 3 |
Trigger Term Quality | Includes relevant domain terms like 'IOC', 'GTI pivoting', 'SIEM searches', 'threat attribution', and 'Tier 2+ investigation', but these are fairly technical/jargon-heavy. Missing natural user phrases like 'investigate indicator', 'deep dive on IP/hash/domain', 'escalated alert', or common IOC types (IP address, hash, domain). | 2 / 3 |
Distinctiveness Conflict Risk | Clearly distinguishes itself from basic IOC enrichment by specifying 'Tier 2+ investigation beyond basic enrichment' and 'escalated IOCs.' The combination of GTI pivoting, deep SIEM searches, correlation, and threat attribution creates a distinct niche unlikely to conflict with simpler enrichment or triage skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a reasonable framework for deep IOC investigation with clear step ordering and specific tool references, but falls short on actionability due to reliance on vague sub-skill references without concrete invocation examples. The workflow lacks validation checkpoints and error handling critical for a multi-step investigation process. Token efficiency could be improved by removing the comparison table and tightening several sections.
Suggestions
Add concrete, executable examples for Steps 5 and 7 instead of just referencing sub-skills - show actual tool calls with parameters
Include validation checkpoints between steps (e.g., 'If GTI returns no results, skip Step 3 and note limited intelligence in report' or 'Verify SIEM results contain relevant events before proceeding to enrichment')
Replace the placeholder UDM query in Step 4 with real example queries for each IOC type (e.g., actual UDM syntax for IP, domain, hash lookups)
Remove or significantly condense the 'When to Use This vs Basic Enrichment' table - this routing decision should be handled by the skill description, not the skill body
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary sections like the 'When to Use This vs Basic Enrichment' comparison table and the 'Inputs' section which could be more terse. The comparison table explains routing logic Claude could infer from the skill description. However, most content is reasonably lean. | 2 / 3 |
Actionability | Provides specific tool calls and parameters which is good, but many steps use pseudo-references like '/enrich-ioc' and '/correlate-ioc' without showing the actual tool invocations. Steps 5 and 7 are particularly vague, saying 'Use /enrich-ioc' or 'Use /document-in-case' without concrete executable examples. The SIEM search query is a placeholder rather than a real UDM query. | 2 / 3 |
Workflow Clarity | The 7-step sequence is clearly ordered and logically structured, but there are no validation checkpoints or error handling. For a complex multi-step investigation involving multiple API calls and pivoting, there's no guidance on what to do if GTI returns no results, if SIEM searches are empty, or how to verify findings before reporting. Missing feedback loops for this type of complex operation. | 2 / 3 |
Progressive Disclosure | References other skills (/enrich-ioc, /correlate-ioc, /pivot-on-ioc, /document-in-case, /generate-report) which is good progressive disclosure, but the main content itself is somewhat long and could benefit from separating the detailed relationship tables or output schemas into referenced files. The structure is decent but not optimally organized. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.