hunt-threat
Conduct proactive, hypothesis-driven threat hunting. Use when performing advanced hunting based on threat intelligence, TTPs, or anomalies. For Tier 3 analysts or dedicated threat hunters. Supports iterative search, pivoting, and comprehensive documentation.
75
70%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/hunt-threat/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description effectively communicates when to use the skill with explicit trigger conditions and targets a clear audience (Tier 3 analysts, threat hunters). However, it could benefit from more concrete action verbs describing specific capabilities and additional natural trigger terms that users might employ when requesting threat hunting assistance.
Suggestions
Add specific concrete actions like 'analyze logs for behavioral anomalies', 'correlate indicators of compromise', 'map findings to MITRE ATT&CK framework' to improve specificity.
Expand trigger terms to include common variations users might say: 'IOC', 'indicators of compromise', 'MITRE ATT&CK', 'adversary techniques', 'suspicious patterns', 'hunt for threats'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (threat hunting) and mentions some actions like 'iterative search, pivoting, and comprehensive documentation', but lacks concrete specific actions like 'analyze network logs', 'correlate IOCs', or 'map to MITRE ATT&CK framework'. | 2 / 3 |
Completeness | Clearly answers both what ('conduct proactive, hypothesis-driven threat hunting', 'supports iterative search, pivoting, documentation') and when ('Use when performing advanced hunting based on threat intelligence, TTPs, or anomalies') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'threat hunting', 'TTPs', 'threat intelligence', and 'anomalies', but missing common user variations like 'hunt for threats', 'IOC', 'indicators of compromise', 'MITRE', 'adversary behavior', or 'suspicious activity'. | 2 / 3 |
Distinctiveness Conflict Risk | Clear niche targeting Tier 3 analysts and dedicated threat hunters with specific focus on hypothesis-driven hunting, TTPs, and threat intelligence - distinct from general security monitoring or incident response skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid threat hunting skill with excellent actionability through concrete MCP tool calls and executable UDM queries. The workflow is comprehensive but would benefit from explicit validation checkpoints before escalation actions. Some verbosity in explanatory sections could be trimmed to improve token efficiency.
Suggestions
Add explicit validation checkpoint before Step 8 escalation (e.g., 'Verify findings with secondary data source before confirming threat')
Move the detailed example hunt queries to a separate HUNT_QUERIES.md reference file and link to it
Trim the 'Key questions at each iteration' section - Claude can infer these analytical questions
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary scaffolding like the verbose 'Key questions at each iteration' section and overly detailed input descriptions. The hypothesis templates and example queries add value, but some sections could be tightened. | 2 / 3 |
Actionability | Provides concrete, executable MCP tool calls with proper syntax, specific UDM query examples that are copy-paste ready, and clear output requirements. The example hunt queries for DNS tunneling, PowerShell, and LOLBINS are fully actionable. | 3 / 3 |
Workflow Clarity | The 8-step workflow is clearly sequenced with logical progression, but lacks explicit validation checkpoints. The 'Hunt Loop' in Step 4 describes iteration but doesn't specify when to stop or how to validate findings before escalation. Missing verification steps before escalating to incident response. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear sections and tables, but everything is inline in a single file. References to '/document-in-case' and '/generate-report' suggest external skills exist but aren't clearly linked. The skill is ~150 lines and could benefit from splitting detailed query examples into a reference file. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.