full-investigation
Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill full-investigation76
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines a specific security investigation workflow with concrete actions and explicit usage triggers. The main weakness is the heavy use of technical jargon (IOC, Tier 2) which may not match how all users naturally phrase requests. The description effectively distinguishes itself from other skills through its specialized security focus.
Suggestions
Expand trigger terms to include more natural language variations like 'security incident', 'threat investigation', 'indicator of compromise', or 'suspicious activity analysis'
Consider adding file types or data sources this skill works with (e.g., 'logs', 'alerts', 'SIEM data') to improve trigger matching
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'deep-dive-ioc', 'correlate-ioc', 'specialized triage (malware/login)', 'pivot-on-ioc', and 'generate comprehensive report'. These are specific workflow steps in a security investigation context. | 3 / 3 |
Completeness | Clearly answers both what ('Orchestrates deep investigation of escalated cases' with specific steps) and when ('Use for escalated cases requiring thorough analysis'). Has explicit 'Use for...' trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like 'Tier 2', 'escalated cases', 'investigation', 'IOC', 'malware', 'login', but uses technical jargon that may not match natural user language. Missing common variations like 'security incident', 'threat analysis', 'indicator of compromise'. | 2 / 3 |
Distinctiveness Conflict Risk | Very specific niche: 'Tier 2 investigation workflow' with distinct security-focused triggers like 'escalated cases', 'IOC', 'malware/login triage'. Unlikely to conflict with general document or code skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured orchestration skill with excellent workflow clarity, clear decision routing, and good error handling. However, it lacks concrete executable examples (relying on skill invocations without showing underlying API calls) and could be more concise by removing the redundant ASCII diagram or trimming the performance targets section. The skill effectively documents a complex multi-phase investigation process but assumes familiarity with the referenced sub-skills.
Suggestions
Add concrete executable examples for at least one phase showing actual API calls or tool usage, not just skill invocations
Remove or significantly condense the ASCII workflow diagram since the detailed steps section covers the same information more precisely
Link to documentation for referenced skills (e.g., `/deep-dive-ioc`, `/correlate-ioc`) or briefly describe what each does for context
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some redundancy (e.g., the ASCII workflow diagram duplicates information in the detailed steps). Some sections like 'Inputs' and 'Outputs' tables could be tighter, and the performance targets section adds minimal value for Claude. | 2 / 3 |
Actionability | Provides clear skill invocation patterns and routing logic, but lacks executable code examples. The workflow relies on invoking other skills (e.g., `/deep-dive-ioc`) without showing actual API calls or concrete command syntax beyond one SOAR call example. | 2 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear phases, explicit routing logic based on alert type, decision points with criteria tables, and error handling with fallback strategies. The workflow diagram and detailed steps provide unambiguous sequencing. | 3 / 3 |
Progressive Disclosure | Content is well-structured with clear phases and tables, but everything is inline in one file. References to other skills (e.g., `/deep-dive-ioc`, `/correlate-ioc`) are mentioned but not linked to documentation. A complex workflow like this could benefit from separating detailed phase documentation. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.