enrich-ioc
Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status.
93
Does it follow best practices?
Validation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It uses third person voice correctly, provides specific capabilities with concrete indicator types, includes a clear 'Use when...' clause, and has distinctive security-focused terminology that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Enrich an IOC', 'look up reputation and context', and specifies return values including 'threat intel findings, SIEM entity summary, and IOC match status'. Clearly names the domain (threat intelligence) and specific indicator types (IP, domain, hash, URL). | 3 / 3 |
Completeness | Clearly answers both what ('Enrich an IOC with threat intelligence', 'Returns threat intel findings, SIEM entity summary, and IOC match status') AND when ('Use when you need to look up reputation and context for an indicator using GTI and SIEM') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes excellent natural keywords users would say: 'IOC', 'IP', 'domain', 'hash', 'URL', 'threat intelligence', 'reputation', 'GTI', 'SIEM'. Covers both technical terms security analysts use and the specific indicator types they'd mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with clear niche in security/threat intelligence domain. Specific triggers like 'IOC', 'GTI', 'SIEM', 'threat intelligence', and indicator types (IP, domain, hash, URL) are unlikely to conflict with non-security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted skill that efficiently maps IOC types to specific tools with concrete examples. The workflow is clear and actionable, though it could benefit from explicit validation steps between enrichment phases. The required outputs table provides excellent clarity on expected deliverables.
Suggestions
Add a validation checkpoint after Step 1 to verify GTI_FINDINGS contains expected fields before proceeding to SIEM enrichment
Include guidance on how to derive THREAT_SCORE and MALICIOUS_CONFIDENCE from the raw GTI data (e.g., mapping reputation scores to confidence levels)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables for tool mappings and avoiding unnecessary explanations. Every section serves a clear purpose without explaining concepts Claude already knows. | 3 / 3 |
Actionability | Provides specific tool names, exact function signatures with parameters, and concrete examples for each IOC type. The workflow is copy-paste ready with clear tool invocations. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (GTI → SIEM Entity → SIEM IOC Match), but lacks validation checkpoints between steps. No feedback loop for handling partial failures or verifying output quality before proceeding. | 2 / 3 |
Progressive Disclosure | Well-organized with clear sections (Inputs, Workflow, Required Outputs, Quick Reference). For a skill of this size (~60 lines), the structure is appropriate without needing external file references. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.