hunt-ioc
Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.
81
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/hunt-ioc/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid skill description that clearly identifies its niche (IOC hunting in SIEM), provides explicit trigger guidance with natural keywords security analysts would use, and answers both what and when. The main weakness is that the specific capabilities could be more granular—'systematic searching with enrichment and documentation' is somewhat vague compared to listing concrete actions like building queries, correlating findings, or generating reports.
Suggestions
Replace 'Systematic searching with enrichment and documentation' with more specific actions, e.g., 'Builds SIEM queries for each indicator, enriches matches with context, and generates a findings report.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (IOC hunting in SIEM) and mentions some actions like 'systematic searching with enrichment and documentation,' but doesn't list multiple specific concrete actions (e.g., query construction, alert creation, timeline correlation). The actions remain somewhat high-level. | 2 / 3 |
Completeness | Clearly answers both 'what' (hunt for specific IOCs across your environment with enrichment and documentation) and 'when' (explicit 'Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would actually say: 'IOCs', 'IPs', 'domains', 'hashes', 'URLs', 'threat intel', 'SIEM'. These cover the common variations a security analyst would use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | The description carves out a clear niche: IOC hunting in SIEM environments using specific indicator types from threat intelligence. This is distinct enough to avoid conflicts with general security skills, log analysis, or broader threat hunting skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable IOC hunting skill with concrete query templates and clear tool invocations that make it immediately usable. Its main weaknesses are the lack of validation/error-handling checkpoints in the workflow (what if a search times out? what if IOC format validation fails?) and some verbosity in sections that describe analysis steps Claude already understands. The critical requirements section at the end is a good guardrail addition.
Suggestions
Add explicit error handling and feedback loops: what to do if a search returns an error, times out, or returns too many results (e.g., retry with narrower timeframe, refine query).
Trim Step 4 analysis guidance — Claude already knows how to identify affected hosts and assess suspicious activity; replace with specific criteria or thresholds that are unique to this workflow.
Add a validation checkpoint between Step 3 and Step 5 to confirm all IOCs were searched before proceeding to enrichment (e.g., 'Verify search count matches IOC count before continuing').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary structure like the verbose inputs section and the output summary template that could be tightened. Some sections like Step 4 describe analysis steps Claude already knows how to do (identify affected hosts, assess if suspicious). | 2 / 3 |
Actionability | Provides concrete UDM query templates for each IOC type, specific MCP tool calls with parameters, and clear examples. The queries are copy-paste ready with placeholder substitution, and tool invocations are explicit. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced and logically ordered, but validation checkpoints are mostly missing. Step 1 mentions 'validate IOC formats' but provides no error handling or feedback loop. There's no explicit checkpoint between searching and enriching, and no guidance on what to do if searches fail or return errors. | 2 / 3 |
Progressive Disclosure | The content is all inline in a single file, which is borderline acceptable for this length (~100 lines). References to other skills (/enrich-ioc, /document-in-case) are mentioned but the output template and detailed query examples could potentially be split out. The structure is reasonable but the file is getting long enough that separation would help. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.