pivot-on-ioc
Explore GTI relationships for an IOC to discover related entities. Use to expand investigation by finding connected domains, IPs, files, or threat actors. Takes an IOC and relationship types to query.
82
78%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/pivot-on-ioc/SKILL.mdQuality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-structured description that clearly communicates the skill's purpose and when to use it. It specifies concrete outputs (domains, IPs, files, threat actors) and inputs (IOC, relationship types). The main weakness is that trigger terms lean heavily on technical jargon (GTI, IOC) without including natural-language variations or expanded acronyms that users might use.
Suggestions
Expand acronyms at least once (e.g., 'Google Threat Intelligence', 'indicator of compromise') so the description matches queries from users who don't use abbreviations.
Add more natural trigger terms users might say, such as 'pivot on an indicator', 'find related infrastructure', or 'linked malware samples'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists specific concrete actions: explore GTI relationships, discover related entities, expand investigation by finding connected domains, IPs, files, or threat actors. Also specifies inputs: an IOC and relationship types. | 3 / 3 |
Completeness | Clearly answers 'what' (explore GTI relationships for an IOC to discover related entities) and 'when' ('Use to expand investigation by finding connected domains, IPs, files, or threat actors'). The 'Use to...' clause serves as an explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant terms like 'IOC', 'relationships', 'domains', 'IPs', 'files', 'threat actors', and 'GTI', but these are somewhat technical/jargon-heavy. Missing natural user phrases like 'related indicators', 'pivot', 'linked threats', 'associated infrastructure', or expanded forms like 'indicator of compromise'. | 2 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to GTI relationship exploration for IOCs, which is a distinct niche. The combination of 'GTI', 'IOC', and 'relationship types' makes it unlikely to conflict with other skills like general threat lookups or non-relationship-based queries. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, concise skill that provides clear tool mappings and relationship references for GTI IOC pivoting. Its main weaknesses are the lack of error handling/validation steps in the workflow and slightly abstract tool call notation. Adding validation checkpoints and more concrete tool invocation examples would elevate it significantly.
Suggestions
Add a validation/error handling step after querying each relationship (e.g., check for empty results, handle API errors, retry logic) to create a feedback loop in the workflow.
Make the tool call example more concrete by showing an actual MCP tool invocation with real parameter names and a sample response structure, rather than pseudocode notation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. Every section serves a purpose—relationship tables, tool mappings, and call patterns are all necessary reference material that Claude wouldn't inherently know. No unnecessary explanations of what IOCs are or how GTI works. | 3 / 3 |
Actionability | The tool call pattern is shown but uses pseudocode-style notation rather than an actual executable MCP tool call. The mapping tables are concrete and useful, but the query step lacks specifics like how to handle pagination, error responses, or the exact parameter format expected by the tools. | 2 / 3 |
Workflow Clarity | The two-step workflow (select tool, query each relationship) is clear and sequenced, but there are no validation checkpoints—no guidance on handling empty results, API errors, rate limits, or verifying that returned entities are valid before adding them to EXPANDED_IOCS. For an investigation tool querying external APIs, error handling feedback loops are important. | 2 / 3 |
Progressive Disclosure | For a skill of this size (~60 lines of meaningful content), the organization is excellent. Clear sections for inputs, relationship reference, workflow, outputs, and examples. No need for external file references given the scope, and content is well-structured with tables for quick scanning. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.