hunt-ioc

Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.

Quality

77%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/hunt-ioc/SKILL.md

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable IOC hunting skill with concrete query templates and clear tool invocations that make it immediately usable. Its main weaknesses are the lack of validation/error-handling checkpoints in the workflow (what if a search times out? what if IOC format validation fails?) and some verbosity in sections that describe analysis steps Claude already understands. The critical requirements section at the end is a good guardrail addition.

Suggestions

Add explicit error handling and feedback loops: what to do if a search returns an error, times out, or returns too many results (e.g., retry with narrower timeframe, refine query).

Trim Step 4 analysis guidance — Claude already knows how to identify affected hosts and assess suspicious activity; replace with specific criteria or thresholds that are unique to this workflow.

Add a validation checkpoint between Step 3 and Step 5 to confirm all IOCs were searched before proceeding to enrichment (e.g., 'Verify search count matches IOC count before continuing').

Dimension	Reasoning	Score
Conciseness	The skill is reasonably efficient but includes some unnecessary structure like the verbose inputs section and the output summary template that could be tightened. Some sections like Step 4 describe analysis steps Claude already knows how to do (identify affected hosts, assess if suspicious).	2 / 3
Actionability	Provides concrete UDM query templates for each IOC type, specific MCP tool calls with parameters, and clear examples. The queries are copy-paste ready with placeholder substitution, and tool invocations are explicit.	3 / 3
Workflow Clarity	Steps are clearly sequenced and logically ordered, but validation checkpoints are mostly missing. Step 1 mentions 'validate IOC formats' but provides no error handling or feedback loop. There's no explicit checkpoint between searching and enriching, and no guidance on what to do if searches fail or return errors.	2 / 3
Progressive Disclosure	The content is all inline in a single file, which is borderline acceptable for this length (~100 lines). References to other skills (/enrich-ioc, /document-in-case) are mentioned but the output template and detailed query examples could potentially be split out. The structure is reasonable but the file is getting long enough that separation would help.	2 / 3
	Total	9 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a solid skill description that clearly identifies its niche (IOC hunting in SIEM), provides explicit trigger guidance with natural keywords security analysts would use, and answers both what and when. The main weakness is that the specific capabilities could be more granular—'systematic searching with enrichment and documentation' is somewhat vague compared to listing concrete actions like building queries, correlating findings, or generating reports.

Suggestions

Replace 'Systematic searching with enrichment and documentation' with more specific actions, e.g., 'Builds SIEM queries for each indicator, enriches matches with context, and generates a findings report.'

Dimension	Reasoning	Score
Specificity	The description names the domain (IOC hunting in SIEM) and mentions some actions like 'systematic searching with enrichment and documentation,' but doesn't list multiple specific concrete actions (e.g., query construction, alert creation, timeline correlation). The actions remain somewhat high-level.	2 / 3
Completeness	Clearly answers both 'what' (hunt for specific IOCs across your environment with enrichment and documentation) and 'when' (explicit 'Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM').	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would actually say: 'IOCs', 'IPs', 'domains', 'hashes', 'URLs', 'threat intel', 'SIEM'. These cover the common variations a security analyst would use when requesting this type of work.	3 / 3
Distinctiveness Conflict Risk	The description carves out a clear niche: IOC hunting in SIEM environments using specific indicator types from threat intelligence. This is distinct enough to avoid conflicts with general security skills, log analysis, or broader threat hunting skills.	3 / 3
	Total	11 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.