enrich-ioc
Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.
94
93%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose (IOC enrichment with threat intelligence), specifies the supported indicator types, names the tools involved (GTI and SIEM), and includes an explicit 'Use when' clause with natural trigger terms. The description is concise, specific, and well-structured for skill selection among many options.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: enrich an IOC, look up reputation and context, and specifies return values (threat intel findings, SIEM entity summary, IOC match status). Also enumerates the IOC types (IP, domain, hash, URL). | 3 / 3 |
Completeness | Clearly answers both 'what' (enrich an IOC with threat intelligence, return findings/entity summary/IOC match status) and 'when' (explicit 'Use when you need to look up reputation and context for an indicator using GTI and SIEM'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'IOC', 'IP', 'domain', 'hash', 'URL', 'threat intelligence', 'reputation', 'GTI', 'SIEM', 'indicator'. These cover the common vocabulary a security analyst would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in threat intelligence IOC enrichment. The specific mention of GTI, SIEM, IOC types, and threat intel context makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, concise skill that provides clear actionable guidance for IOC enrichment using specific GTI and SIEM tools. Its main weakness is the lack of validation/error handling for SIEM steps and no feedback loop when things go wrong beyond the GTI step. The quick reference section and output table are excellent additions that make the skill easy to follow.
Suggestions
Add error handling guidance for Steps 2 and 3 (SIEM lookups), similar to the GTI error handling note in Step 1, and specify what outputs should contain when a step fails.
Add a brief validation checkpoint after Step 3 to verify all required outputs are populated before reporting, with guidance on partial results.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient. It avoids explaining what IOCs are, what threat intelligence is, or how MCP tools work. Every section serves a direct purpose—inputs, workflow steps, outputs, and a quick reference. No wasted tokens. | 3 / 3 |
Actionability | Provides specific tool names, exact function signatures with parameter names, and concrete examples for each IOC type. The table mapping IOC types to tools with examples is immediately actionable, and the output requirements are precisely defined. | 3 / 3 |
Workflow Clarity | The three steps are clearly sequenced and the error handling note for GTI failure is good. However, there's no validation checkpoint—e.g., no step to verify that the entity lookup returned valid data before proceeding, and no feedback loop if SIEM lookups fail. The workflow also doesn't address what to do if Step 3's get_ioc_matches() fails or returns unexpected results. | 2 / 3 |
Progressive Disclosure | For a skill of this size (~60 lines), the content is well-organized with clear sections: inputs, workflow steps, required outputs, and a quick reference. No external references are needed, and the structure supports easy scanning and navigation. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.