pivot-on-ioc

Explore GTI relationships for an IOC to discover related entities. Use to expand investigation by finding connected domains, IPs, files, or threat actors. Takes an IOC and relationship types to query.

Quality

78%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/pivot-on-ioc/SKILL.md

Quality

Content

72%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured, concise skill that provides clear tool mappings and relationship references for GTI IOC pivoting. Its main weaknesses are the lack of error handling/validation steps in the workflow and slightly abstract tool call notation. Adding validation checkpoints and more concrete tool invocation examples would elevate it significantly.

Suggestions

Add a validation/error handling step after querying each relationship (e.g., check for empty results, handle API errors, retry logic) to create a feedback loop in the workflow.

Make the tool call example more concrete by showing an actual MCP tool invocation with real parameter names and a sample response structure, rather than pseudocode notation.

Dimension	Reasoning	Score
Conciseness	The content is lean and efficient. Every section serves a purpose—relationship tables, tool mappings, and call patterns are all necessary reference material that Claude wouldn't inherently know. No unnecessary explanations of what IOCs are or how GTI works.	3 / 3
Actionability	The tool call pattern is shown but uses pseudocode-style notation rather than an actual executable MCP tool call. The mapping tables are concrete and useful, but the query step lacks specifics like how to handle pagination, error responses, or the exact parameter format expected by the tools.	2 / 3
Workflow Clarity	The two-step workflow (select tool, query each relationship) is clear and sequenced, but there are no validation checkpoints—no guidance on handling empty results, API errors, rate limits, or verifying that returned entities are valid before adding them to EXPANDED_IOCS. For an investigation tool querying external APIs, error handling feedback loops are important.	2 / 3
Progressive Disclosure	For a skill of this size (~60 lines of meaningful content), the organization is excellent. Clear sections for inputs, relationship reference, workflow, outputs, and examples. No need for external file references given the scope, and content is well-structured with tables for quick scanning.	3 / 3
	Total	10 / 12 Passed

Description

85%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a well-structured description that clearly communicates the skill's purpose and when to use it. It specifies concrete outputs (domains, IPs, files, threat actors) and inputs (IOC, relationship types). The main weakness is that trigger terms lean heavily on technical jargon (GTI, IOC) without including natural-language variations or expanded acronyms that users might use.

Suggestions

Expand acronyms at least once (e.g., 'Google Threat Intelligence', 'indicator of compromise') so the description matches queries from users who don't use abbreviations.

Add more natural trigger terms users might say, such as 'pivot on an indicator', 'find related infrastructure', or 'linked malware samples'.

Dimension	Reasoning	Score
Specificity	Lists specific concrete actions: explore GTI relationships, discover related entities, expand investigation by finding connected domains, IPs, files, or threat actors. Also specifies inputs: an IOC and relationship types.	3 / 3
Completeness	Clearly answers 'what' (explore GTI relationships for an IOC to discover related entities) and 'when' ('Use to expand investigation by finding connected domains, IPs, files, or threat actors'). The 'Use to...' clause serves as an explicit trigger guidance.	3 / 3
Trigger Term Quality	Includes relevant terms like 'IOC', 'relationships', 'domains', 'IPs', 'files', 'threat actors', and 'GTI', but these are somewhat technical/jargon-heavy. Missing natural user phrases like 'related indicators', 'pivot', 'linked threats', 'associated infrastructure', or expanded forms like 'indicator of compromise'.	2 / 3
Distinctiveness Conflict Risk	Clearly scoped to GTI relationship exploration for IOCs, which is a distinct niche. The combination of 'GTI', 'IOC', and 'relationship types' makes it unlikely to conflict with other skills like general threat lookups or non-relationship-based queries.	3 / 3
	Total	11 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.