enrich-ioc
Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.
94
93%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It clearly specifies the capability (IOC enrichment), lists concrete IOC types and tools, includes a proper 'Use when' clause with natural trigger terms, and describes expected outputs. The security-focused terminology creates a distinct niche with minimal conflict risk.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Enrich an IOC', 'look up reputation and context', and specifies outputs: 'threat intel findings, SIEM entity summary, and IOC match status'. Also explicitly names the IOC types (IP, domain, hash, URL) and tools (GTI, SIEM). | 3 / 3 |
Completeness | Clearly answers both what ('Enrich an IOC with threat intelligence', 'Returns threat intel findings, SIEM entity summary, and IOC match status') and when ('Use when you need to look up reputation and context for an indicator using GTI and SIEM') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'IOC', 'IP', 'domain', 'hash', 'URL', 'threat intelligence', 'reputation', 'indicator', 'GTI', 'SIEM'. These are terms security analysts would naturally use when needing this capability. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with clear niche in threat intelligence/security domain. Specific tool references (GTI, SIEM) and security-specific terminology (IOC, threat intel, reputation) make it unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable skill that efficiently maps IOC types to specific tools with concrete examples. The workflow is clear but could benefit from explicit validation steps between enrichment phases, particularly for verifying GTI results before proceeding to SIEM lookups. The Quick Reference section is a nice touch for rapid tool lookup.
Suggestions
Add explicit validation checkpoint after Step 1 to verify GTI_FINDINGS contains expected fields before proceeding to SIEM enrichment
Include a brief verification step at the end to confirm all required outputs are populated before reporting results
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables for tool mappings and avoiding unnecessary explanations. Every section serves a clear purpose without explaining concepts Claude already knows. | 3 / 3 |
Actionability | Provides specific tool names, exact function signatures with parameters, and concrete examples for each IOC type. The workflow is copy-paste ready with clear tool invocations. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (GTI → SIEM Entity → SIEM IOC Match), but lacks validation checkpoints between steps. No feedback loop for handling partial failures or verifying output quality before proceeding. | 2 / 3 |
Progressive Disclosure | Well-organized with clear sections (Inputs, Workflow, Required Outputs, Quick Reference). For a skill of this size (~60 lines), the structure is appropriate without needing external file references. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.