enrich-ioc

Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.

Quality

93%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

87%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured, concise skill that provides clear actionable guidance for IOC enrichment using specific GTI and SIEM tools. Its main weakness is the lack of validation/error handling for SIEM steps and no feedback loop when things go wrong beyond the GTI step. The quick reference section and output table are excellent additions that make the skill easy to follow.

Suggestions

Add error handling guidance for Steps 2 and 3 (SIEM lookups), similar to the GTI error handling note in Step 1, and specify what outputs should contain when a step fails.

Add a brief validation checkpoint after Step 3 to verify all required outputs are populated before reporting, with guidance on partial results.

Dimension	Reasoning	Score
Conciseness	The skill is lean and efficient. It avoids explaining what IOCs are, what threat intelligence is, or how MCP tools work. Every section serves a direct purpose—inputs, workflow steps, outputs, and a quick reference. No wasted tokens.	3 / 3
Actionability	Provides specific tool names, exact function signatures with parameter names, and concrete examples for each IOC type. The table mapping IOC types to tools with examples is immediately actionable, and the output requirements are precisely defined.	3 / 3
Workflow Clarity	The three steps are clearly sequenced and the error handling note for GTI failure is good. However, there's no validation checkpoint—e.g., no step to verify that the entity lookup returned valid data before proceeding, and no feedback loop if SIEM lookups fail. The workflow also doesn't address what to do if Step 3's get_ioc_matches() fails or returns unexpected results.	2 / 3
Progressive Disclosure	For a skill of this size (~60 lines), the content is well-organized with clear sections: inputs, workflow steps, required outputs, and a quick reference. No external references are needed, and the structure supports easy scanning and navigation.	3 / 3
	Total	11 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly defines its purpose (IOC enrichment with threat intelligence), specifies the supported indicator types, names the tools involved (GTI and SIEM), and includes an explicit 'Use when' clause with natural trigger terms. The description is concise, specific, and well-structured for skill selection among many options.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: enrich an IOC, look up reputation and context, and specifies return values (threat intel findings, SIEM entity summary, IOC match status). Also enumerates the IOC types (IP, domain, hash, URL).	3 / 3
Completeness	Clearly answers both 'what' (enrich an IOC with threat intelligence, return findings/entity summary/IOC match status) and 'when' (explicit 'Use when you need to look up reputation and context for an indicator using GTI and SIEM').	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would say: 'IOC', 'IP', 'domain', 'hash', 'URL', 'threat intelligence', 'reputation', 'GTI', 'SIEM', 'indicator'. These cover the common vocabulary a security analyst would use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche in threat intelligence IOC enrichment. The specific mention of GTI, SIEM, IOC types, and threat intel context makes it very unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.