full-investigation
Complete Tier 2 investigation workflow. Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. Use for escalated cases requiring thorough analysis.
78
73%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/_workflows/full-investigation/SKILL.mdQuality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly defines its scope as a Tier 2 investigation orchestration workflow with specific named sub-tasks. It includes an explicit 'Use for...' trigger clause and is highly distinctive. The main weakness is that trigger terms lean heavily on internal jargon (IOC, Tier 2) rather than natural language a user might employ when requesting this type of analysis.
Suggestions
Add more natural-language trigger terms that users might say, such as 'investigate alert', 'security incident deep dive', 'threat analysis', or 'escalated security alert'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: deep-dive-ioc, correlate-ioc, specialized triage (malware/login), pivot-on-ioc, and generate comprehensive report. These are distinct, named workflow steps. | 3 / 3 |
Completeness | Clearly answers both what ('Orchestrates deep investigation of escalated cases: deep-dive-ioc, correlate-ioc, specialized triage, pivot-on-ioc, and generate comprehensive report') and when ('Use for escalated cases requiring thorough analysis'). The 'Use for...' clause is present and explicit. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like 'escalated cases', 'investigation', 'Tier 2', 'IOC', 'malware', 'triage', but these are fairly technical/jargon-heavy. Missing natural user phrases like 'investigate alert', 'deep analysis', 'security incident', or 'threat investigation'. | 2 / 3 |
Distinctiveness Conflict Risk | Very clearly scoped to Tier 2 investigation workflows with specific IOC-related steps. The 'Tier 2' designation and the specific sub-tasks (deep-dive-ioc, correlate-ioc, pivot-on-ioc) make it highly distinguishable from other security or investigation skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured orchestration skill with clear phasing, decision routing, and error handling that makes the complex investigation workflow easy to follow. However, it is somewhat verbose for a composite/orchestration skill—much of the detail about what each sub-skill collects could be left to those sub-skills' own documentation. The actionability is moderate since it relies on skill invocations and pseudocode rather than executable commands, though this is partially justified by the orchestration nature of the skill.
Suggestions
Trim the ASCII diagram or replace it with a compact bulleted flow; the diagram alone consumes ~40 lines of tokens for information that's repeated in the Detailed Steps section.
Remove or significantly condense the 'Collect' subsections under each step—the sub-skills should document their own outputs, and the orchestrator only needs to note what it passes forward.
Add a concrete example of a full invocation chain for one alert type (e.g., malware) showing actual parameter values and expected output snippets to improve actionability.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The large ASCII workflow diagram is visually helpful but consumes significant tokens. Some sections are verbose with information Claude could infer (e.g., explaining what IOCs to extract from cases, the performance targets section). The detailed steps are mostly necessary but could be tightened. | 2 / 3 |
Actionability | The skill provides clear invocation patterns (e.g., `/deep-dive-ioc IOC_VALUE=$ioc CASE_ID=$CASE_ID`) and routing tables, but most 'code' is pseudocode or skill invocations rather than executable commands. The collect sections describe expected outputs but lack concrete examples of what the data looks like or how to parse/use it. | 2 / 3 |
Workflow Clarity | The workflow is clearly sequenced across 6 phases with explicit routing logic, decision points, and error handling/fallback steps. The outcome assessment table provides clear criteria for each disposition, and the error handling section provides explicit fallback paths for failures. | 3 / 3 |
Progressive Disclosure | The skill references many sub-skills (deep-dive-ioc, correlate-ioc, triage-malware, etc.) which is good delegation, but the SKILL.md itself is quite long (~200+ lines of detailed content) with no references to external documentation files. Some of the specialized analysis details could be deferred to the sub-skill documentation. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.