hunt-apt
Hunt for a specific APT/threat actor in your environment. Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs. Gathers intelligence from GTI, searches SIEM for IOCs and TTP-based indicators, and documents findings.
96
96%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its purpose (threat actor hunting), specifies concrete actions (gathering GTI intelligence, SIEM searches, documentation), and provides explicit trigger conditions (threat actor name or GTI collection ID). The domain-specific terminology is appropriate for the security analyst audience and creates clear distinctiveness from other potential skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Hunt for a specific APT/threat actor', 'Gathers intelligence from GTI', 'searches SIEM for IOCs and TTP-based indicators', and 'documents findings'. These are clear, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both what ('Hunt for APT/threat actor', 'Gathers intelligence', 'searches SIEM', 'documents findings') AND when ('Use when you have a threat actor name or GTI collection ID and want to search for their TTPs and IOCs'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'APT', 'threat actor', 'GTI collection ID', 'TTPs', 'IOCs', 'SIEM', 'threat intelligence'. These are domain-appropriate terms security analysts would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with clear niche: APT/threat actor hunting with specific GTI and SIEM integration. The combination of threat actor focus, GTI collection IDs, and TTP/IOC searching creates a unique, non-conflicting scope. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality threat hunting skill with excellent actionability and workflow clarity. The step-by-step process is well-sequenced with concrete tool calls, decision points, and documentation requirements. Minor improvement needed in signaling dependencies on other skills/commands.
Suggestions
Add brief inline notes or a 'Related Skills' section explaining where `/find-relevant-case`, `/document-in-case`, and `/generate-report` are located or how to invoke them
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, assuming Claude's competence with security concepts. No unnecessary explanations of what APTs are, how SIEM works, or basic threat hunting concepts. Every section serves a clear purpose. | 3 / 3 |
Actionability | Provides specific, executable tool calls with exact function names and parameters. Each step has concrete commands like `gti-mcp.get_collection_report(id=THREAT_ACTOR_ID)` that are copy-paste ready with clear parameter substitution. | 3 / 3 |
Workflow Clarity | Clear 8-step sequence with logical progression from intelligence gathering through escalation. Includes decision points (Step 8: confirmed vs not found), conditional steps (Step 5: 'If hits found'), and explicit documentation requirements throughout. | 3 / 3 |
Progressive Disclosure | Well-organized with clear sections and tables, but references other skills (`/find-relevant-case`, `/document-in-case`, `/generate-report`) without explaining where they are or how to access them. The skill is self-contained but could better signal these dependencies. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.