full-triage-alert
Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.
84
81%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates a specific security operations workflow with concrete actions and explicit usage guidance. The main weakness is reliance on technical jargon (FP, BTP, TP, IOC) that may not match how all users naturally phrase requests, though this is appropriate for a specialized security domain skill.
Suggestions
Add natural language trigger variations like 'investigate alert', 'handle security incident', or 'process new alert' to improve discoverability for users who may not use acronyms
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious)'. These are concrete workflow steps with specific outcomes. | 3 / 3 |
Completeness | Clearly answers both what ('Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc...') and when ('Use for end-to-end alert processing'). The 'Use for' clause provides explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes domain-specific terms like 'triage', 'alert', 'IOC', 'FP/BTP', 'TP', 'escalate' but these are technical jargon. Missing natural user phrases like 'investigate alert', 'handle security alert', 'process incident'. The term 'end-to-end alert processing' helps but coverage is incomplete. | 2 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with specific security operations terminology (Tier 1 triage, FP/BTP/TP classifications, IOC enrichment). Clear niche in security alert orchestration that wouldn't conflict with general document or code skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured orchestration skill with excellent workflow clarity and actionability. The multi-phase approach with explicit decision criteria and error handling demonstrates strong design. The main weakness is moderate verbosity - the ASCII diagram, while visually helpful, duplicates the detailed steps section, and some content could be more concise.
Suggestions
Consider removing or significantly simplifying the ASCII workflow diagram since the detailed steps section provides the same information more precisely
Add explicit links to referenced sub-skills (e.g., `/triage-malware`, `/deep-dive-ioc`) or note where their documentation can be found
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some redundancy - the ASCII workflow diagram duplicates information that's then repeated in the detailed steps. The tables and structured format are good, but the overall length could be tightened. | 2 / 3 |
Actionability | Provides concrete, executable guidance with specific skill invocations (e.g., `/check-duplicates CASE_ID=$CASE_ID`), clear decision tables with criteria and actions, and explicit parameters to extract and pass between steps. | 3 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear phases, explicit decision points, and proper error handling section. The workflow diagram plus detailed steps provide unambiguous sequencing with clear branching logic for different classifications. | 3 / 3 |
Progressive Disclosure | Content is well-structured with clear sections and phases, but everything is inline in one file. References to sub-skills like `/triage-malware` and `/deep-dive-ioc` are mentioned but not linked. For a composite orchestration skill, this is acceptable but could benefit from clearer navigation to referenced skills. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.