hunt-credential-access
Hunt for credential access techniques like LSASS dumping or browser credential theft. Use when searching for evidence of credential harvesting. Takes MITRE technique IDs and searches for behavioral indicators in SIEM.
96
96%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific concrete actions (LSASS dumping, browser credential theft), includes natural trigger terms security professionals would use, explicitly states when to use it, and carves out a distinct niche in credential access hunting that won't conflict with broader security skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'LSASS dumping', 'browser credential theft', 'credential harvesting', and 'searches for behavioral indicators in SIEM'. Also specifies input type (MITRE technique IDs). | 3 / 3 |
Completeness | Clearly answers both what ('Hunt for credential access techniques like LSASS dumping or browser credential theft') and when ('Use when searching for evidence of credential harvesting'). Includes explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'credential access', 'LSASS dumping', 'browser credential theft', 'credential harvesting', 'MITRE technique IDs', 'SIEM'. These are terms security analysts would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on credential access hunting with distinct triggers (LSASS, browser credentials, MITRE IDs, SIEM). Unlikely to conflict with general security or other threat hunting skills due to specific credential focus. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality skill with excellent actionability and workflow clarity. The UDM queries are concrete and executable, the workflow has clear decision points and escalation paths, and the content respects Claude's intelligence. Minor improvement could come from better progressive disclosure by splitting the extensive query examples into a separate reference file.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, providing technique tables, query examples, and workflow steps without explaining basic concepts Claude already knows. Every section serves a clear purpose with no padding. | 3 / 3 |
Actionability | Provides fully executable UDM queries, specific MCP tool calls with exact syntax, and concrete examples for each technique. The queries are copy-paste ready and cover multiple credential access scenarios. | 3 / 3 |
Workflow Clarity | Clear 7-step sequence with explicit validation points (Step 4 analysis criteria, Step 5 enrichment), decision branches for escalation vs conclusion, and feedback loops for detection gap documentation. | 3 / 3 |
Progressive Disclosure | Well-organized with clear sections and tables, but the content is somewhat monolithic. The technique queries section could be split into a separate reference file, and cross-references to other skills (like /respond-compromised-account) are mentioned but not linked. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.