full-investigation
Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/_workflows/full-investigation/SKILL.mdQuality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured skill description that clearly defines its purpose and when to use it. The description excels at specificity and completeness with explicit workflow steps and trigger conditions. The main weakness is trigger term quality, as it relies heavily on technical jargon (IOC, pivot-on-ioc) that may not match natural user language.
Suggestions
Expand trigger terms to include more natural language variations like 'security incident', 'threat investigation', 'indicator of compromise', or 'suspicious activity analysis'
Consider spelling out 'IOC' as 'indicator of compromise (IOC)' at least once to improve discoverability for users unfamiliar with the acronym
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'deep-dive-ioc', 'correlate-ioc', 'specialized triage (malware/login)', 'pivot-on-ioc', and 'generate comprehensive report'. These are specific workflow steps in a security investigation context. | 3 / 3 |
Completeness | Clearly answers both what ('Orchestrates deep investigation of escalated cases' with specific steps) and when ('Use for escalated cases requiring thorough analysis'). Has explicit 'Use for...' trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like 'Tier 2', 'escalated cases', 'investigation', 'IOC', 'malware', 'login', but uses technical jargon (IOC, pivot-on-ioc) that users might not naturally say. Missing common variations like 'security incident', 'threat analysis', 'indicator of compromise'. | 2 / 3 |
Distinctiveness Conflict Risk | Very specific niche: 'Tier 2 investigation workflow' with distinct security-focused triggers. The combination of 'escalated cases', 'Tier 2', and specific IOC-related actions makes it clearly distinguishable from other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured orchestration skill with excellent workflow clarity and decision routing. However, it's verbose for a skill document, includes redundant explanations between the diagram and detailed steps, and lacks truly executable code examples. The skill would benefit from tighter prose and actual command syntax rather than pseudocode invocations.
Suggestions
Replace pseudocode 'Invoke:' syntax with actual executable commands or tool calls that Claude can copy-paste
Remove redundant explanations between the ASCII workflow diagram and the detailed steps - choose one primary representation
Consider splitting detailed phase content into separate files (e.g., PHASE1_DEEP_ANALYSIS.md) with SKILL.md serving as a concise overview with links
Add a concrete example showing actual IOC values flowing through at least one complete path of the workflow
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some redundant explanations (e.g., describing what each phase does when the workflow diagram already shows it). The ASCII diagram, while helpful, adds significant token overhead that could be trimmed. | 2 / 3 |
Actionability | Provides clear skill invocations and routing logic, but lacks executable code examples. The 'Invoke:' syntax is pseudocode-like rather than actual commands. Step 1.0 shows an API call but most steps describe actions abstractly rather than providing copy-paste ready commands. | 2 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear phases, explicit decision points, routing tables, and error handling section. The workflow diagram combined with detailed steps provides unambiguous sequencing. Includes fallback procedures for failures. | 3 / 3 |
Progressive Disclosure | Content is well-structured with clear sections and phases, but everything is inline in one large document. References to other skills (e.g., /deep-dive-ioc, /correlate-ioc) exist but no links to separate documentation files. Could benefit from splitting detailed phase content into separate files. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.