full-triage-alert
Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.
84
81%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description that clearly articulates a specific orchestration workflow with concrete steps and outcomes. Its main weakness is that the trigger terms lean heavily on SOC jargon (FP, BTP, TP, IOC) which may not match how all users phrase their requests. The 'Use for end-to-end alert processing' clause is present but could benefit from additional natural-language trigger phrases.
Suggestions
Expand trigger terms to include more natural user phrases such as 'investigate security alert', 'SOC workflow', 'incident triage', or 'process security incident' to improve discoverability.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: check-duplicates, triage-alert, enrich-ioc for each entity, close (FP/BTP), or escalate (TP/Suspicious). These are clearly defined steps in a workflow. | 3 / 3 |
Completeness | Clearly answers 'what' (orchestrates full alert triage: check-duplicates, triage-alert, enrich-ioc, close or escalate) and 'when' ('Use for end-to-end alert processing'). The 'when' clause is present and explicit, though it could be more detailed with additional trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like 'triage', 'alert', 'escalate', 'enrich-ioc', and 'Tier 1', but these are fairly domain-specific/jargon-heavy. Missing more natural user phrases like 'investigate alert', 'handle security alert', 'SOC workflow', or 'incident response'. | 2 / 3 |
Distinctiveness Conflict Risk | Highly distinctive as it describes a specific orchestration workflow (Tier 1 triage) that combines multiple sub-skills. The mention of specific sub-steps (check-duplicates, triage-alert, enrich-ioc) and outcomes (FP/BTP/TP/Suspicious) clearly distinguishes it from individual component skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured orchestration skill with strong actionability and workflow clarity—each phase has concrete invocations, clear decision criteria, and error handling. The main weaknesses are moderate verbosity (the large ASCII diagram duplicates the detailed steps) and the monolithic structure that could benefit from splitting some content into referenced sub-documents. Overall it serves its purpose as a composite workflow guide effectively.
Suggestions
Consider removing or significantly shrinking the ASCII diagram since the detailed steps section already provides the same information more precisely.
Split detailed disposition logic or the classification criteria table into a referenced file to reduce the main skill's length and improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The ASCII diagram, while visually helpful, is quite large and largely duplicates the detailed steps that follow. The 'Inputs' section and some descriptions are lean, but the overall content could be tightened—the diagram and detailed steps together are redundant. Performance targets and some output descriptions add marginal value. | 2 / 3 |
Actionability | The skill provides concrete, specific invocations (e.g., `/check-duplicates CASE_ID=$CASE_ID`), clear decision criteria in a table, specific parameters to extract, and explicit disposition actions. Each step tells Claude exactly what to invoke and what to do with the results. | 3 / 3 |
Workflow Clarity | The workflow is clearly sequenced across 5 phases with explicit decision points, branching logic (duplicate vs not, FP/BTP vs TP/Suspicious), and error handling for each sub-step. The classification table provides clear criteria, and the error handling section addresses failure modes with fallback behavior. | 3 / 3 |
Progressive Disclosure | The skill references sub-skills (e.g., `/check-duplicates`, `/triage-alert`, `/enrich-ioc`) which provides some progressive disclosure, but all content is inline in a single monolithic file. The detailed steps section is quite long and could benefit from splitting enrichment details or disposition logic into referenced files. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.