Content
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a competent threat hunting skill with a clear workflow structure, concrete tool references, and useful example queries. Its main weaknesses are the lack of validation checkpoints in a complex iterative process, some pseudocode placeholders instead of fully executable examples, and a monolithic structure that could benefit from splitting reference material into separate files. The content is moderately concise but includes some sections that could be tightened.
Suggestions
Add explicit validation checkpoints: verify query results are non-empty before proceeding, validate IOC format before enrichment, and confirm case documentation before escalation.
Replace pseudocode placeholders like `gti-mcp.get_..._report(identifier=LEAD)` with concrete, copy-paste-ready examples using realistic sample values.
Split the example hunt queries and hypothesis templates into a separate HUNT_REFERENCE.md file, keeping SKILL.md as a concise workflow overview with links.
Add error handling guidance for common failure modes (e.g., query timeouts, empty result sets, API rate limits) to support the iterative hunt loop.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is moderately efficient but includes some unnecessary verbosity. The 'Key questions at each iteration' section and the detailed input examples add bulk that a Tier 3 analyst (or Claude acting as one) wouldn't need. The hypothesis templates section is somewhat redundant given the examples already provided in inputs. However, most content is relevant and not explaining basic concepts. | 2 / 3 |
Actionability | The skill provides concrete tool calls (gti-mcp, secops-mcp, bigquery) and example UDM queries, which is good. However, many commands use placeholder/pseudocode patterns like `gti-mcp.get_..._report(identifier=LEAD)` and `bigquery.execute-query(query="Complex analytical query")` rather than fully executable examples. The hunt loop in Step 4 is procedural guidance rather than concrete executable steps. | 2 / 3 |
Workflow Clarity | The 8-step workflow is clearly sequenced and the iterative hunt loop in Step 4 is well-structured. However, there are no explicit validation checkpoints — no verification that queries return valid results, no checks before escalation, and no error handling for failed queries or API calls. For a complex multi-step process involving iterative searching and potential incident escalation, the lack of validation gates is a notable gap. | 2 / 3 |
Progressive Disclosure | The content is well-organized with clear section headers and a logical flow from inputs through workflow to outputs. However, it's a long monolithic document (~150 lines of substantive content) that could benefit from splitting detailed query examples, hypothesis templates, and the enrichment reference into separate files. References to `/document-in-case` and `/generate-report` are mentioned but not linked to documentation. | 2 / 3 |
Total | 8 / 12 Passed |