hunt-ioc
Hunt for specific IOCs across your environment. Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM. Systematic searching with enrichment and documentation.
92
91%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger terms and completeness. It clearly defines when to use the skill with specific IOC types and the SIEM context. The main weakness is that the specific capabilities could be more concrete - 'systematic searching with enrichment and documentation' is somewhat vague compared to listing specific actions.
Suggestions
Replace 'Systematic searching with enrichment and documentation' with specific actions like 'queries SIEM logs, correlates findings across data sources, enriches matches with threat context, and documents results'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (IOC hunting, SIEM) and mentions actions like 'systematic searching with enrichment and documentation', but doesn't list multiple concrete specific actions like 'query logs', 'correlate events', or 'generate reports'. | 2 / 3 |
Completeness | Clearly answers both what ('Hunt for specific IOCs across your environment') and when ('Use when you have a list of IPs, domains, hashes, or URLs from threat intel and want to check if they appear in your SIEM') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'IOCs', 'IPs', 'domains', 'hashes', 'URLs', 'threat intel', 'SIEM'. These are exactly the terms security analysts would use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Very clear niche focused on IOC hunting in SIEM environments with specific artifact types (IPs, domains, hashes, URLs). Unlikely to conflict with general security or data analysis skills due to the specific threat intel context. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality skill with excellent actionability and workflow clarity. It provides concrete UDM query templates, specific tool calls, and a well-sequenced multi-step process with appropriate validation and escalation paths. Minor improvement could be made in signaling cross-references to related skills more explicitly.
Suggestions
Add explicit links or clearer navigation to referenced skills like /enrich-ioc and /document-in-case (e.g., 'See [ENRICH-IOC.md](./enrich-ioc.md) for detailed enrichment workflow')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, providing structured inputs, concrete query templates, and clear workflow steps without explaining basic concepts Claude already knows. Every section serves a purpose. | 3 / 3 |
Actionability | Provides fully executable UDM query templates for each IOC type, specific MCP tool calls with parameters, and concrete output templates. Copy-paste ready for implementation. | 3 / 3 |
Workflow Clarity | Clear 7-step sequence with explicit validation (Step 1), iterative processing (Step 3), enrichment checkpoints (Step 5), and decision points for escalation vs conclusion (Step 7). Includes feedback loop for hits requiring enrichment. | 3 / 3 |
Progressive Disclosure | Well-organized with clear sections, but references to other skills (/enrich-ioc, /document-in-case) are mentioned without clear navigation signals. The content is appropriately sized for a single file but could better signal the referenced skills. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.