full-triage-alert
Complete Tier 1 triage workflow. Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious). Use for end-to-end alert processing.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill full-triage-alert83
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly articulates a specific security operations workflow with concrete actions and explicit usage guidance. The main weakness is the heavy use of technical acronyms (FP/BTP/TP/IOC) which may not match natural user language, though these are standard SOC terminology that target users would recognize.
Suggestions
Expand trigger terms to include more natural language variations like 'security alert', 'incident triage', 'SOC workflow', or 'analyze alert'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'check-duplicates, triage-alert, enrich-ioc for each entity, and either close (FP/BTP) or escalate (TP/Suspicious)'. These are concrete workflow steps with specific outcomes. | 3 / 3 |
Completeness | Clearly answers both what ('Orchestrates the full alert triage process: check-duplicates, triage-alert, enrich-ioc...') and when ('Use for end-to-end alert processing'). Has explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like 'alert triage', 'Tier 1', 'alert processing', but uses technical jargon (FP/BTP/TP) that users might not naturally say. Missing common variations like 'security alert', 'incident', 'SOC workflow'. | 2 / 3 |
Distinctiveness Conflict Risk | Very specific niche targeting Tier 1 SOC triage workflows with distinct terminology (FP/BTP/TP, enrich-ioc). Unlikely to conflict with other skills due to specialized security operations context. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured orchestration skill with excellent workflow clarity and actionability. The multi-phase approach with explicit decision criteria and error handling demonstrates strong operational design. However, the content is somewhat verbose with the ASCII diagram duplicating the detailed steps, and the monolithic structure could benefit from progressive disclosure to separate files.
Suggestions
Remove or significantly simplify the ASCII workflow diagram since the detailed steps section provides the same information more actionably
Consider linking to documentation for referenced skills like `/triage-malware` and `/deep-dive-ioc` rather than just mentioning them
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some redundancy - the ASCII workflow diagram duplicates information that's then repeated in the detailed steps. The tables and structured format are good, but the overall document could be tightened. | 2 / 3 |
Actionability | Provides concrete, executable guidance with specific skill invocations (e.g., `/check-duplicates CASE_ID=$CASE_ID`), clear parameter passing, and explicit decision criteria in table format. Each step has specific commands to invoke. | 3 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear phases, explicit decision points, and conditional branching. Includes error handling section with fallback behaviors for each failure mode. The classification criteria table provides clear validation checkpoints. | 3 / 3 |
Progressive Disclosure | Content is well-structured with clear sections and phases, but everything is inline in one file. References to other skills (e.g., `/triage-malware`, `/deep-dive-ioc`) are mentioned but not linked to documentation. Could benefit from separating the detailed steps into referenced files. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.