pivot-on-ioc
Explore GTI relationships for an IOC to discover related entities. Use to expand investigation by finding connected domains, IPs, files, or threat actors. Takes an IOC and relationship types to query.
88
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its purpose in threat intelligence investigation workflows. It excels at specificity and completeness with explicit 'Use to...' guidance. The main weakness is reliance on technical jargon (GTI, IOC) without including natural language variations that users might employ.
Suggestions
Expand trigger terms to include natural language variations like 'indicator of compromise', 'threat intelligence relationships', 'pivot on indicator', or 'find related threats'
Consider spelling out acronyms at least once (e.g., 'IOC (indicator of compromise)') to improve discoverability for users who may phrase requests differently
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Explore GTI relationships', 'discover related entities', 'expand investigation', 'finding connected domains, IPs, files, or threat actors', and 'Takes an IOC and relationship types to query'. | 3 / 3 |
Completeness | Clearly answers both what ('Explore GTI relationships for an IOC to discover related entities') and when ('Use to expand investigation by finding connected domains, IPs, files, or threat actors'). Has explicit 'Use to...' clause with trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes relevant technical terms like 'IOC', 'GTI', 'domains', 'IPs', 'files', 'threat actors', and 'relationship types', but these are security jargon. Missing more natural variations users might say like 'indicator of compromise', 'threat intelligence', 'related indicators', or 'pivot'. | 2 / 3 |
Distinctiveness Conflict Risk | Very specific niche focused on GTI relationship exploration for IOCs. The combination of 'GTI', 'IOC', 'relationship types', and specific entity types (domains, IPs, files, threat actors) creates a distinct trigger profile unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, concise skill that provides clear actionable guidance for pivoting on IOCs in GTI. The tool mappings and relationship tables are excellent reference material. The main weakness is the lack of error handling or validation steps for what could be a multi-query operation with potential failures.
Suggestions
Add a validation step after querying relationships to handle empty results or API errors (e.g., 'If relationship returns empty, note in PIVOT_STATUS and continue with remaining relationships')
Include guidance on rate limiting or batching if querying many relationships simultaneously
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables to compress information and avoiding unnecessary explanations. Every section serves a clear purpose without padding or explaining concepts Claude already knows. | 3 / 3 |
Actionability | Provides specific tool names, exact parameter mappings, and concrete examples with real relationship names. The workflow is copy-paste ready with clear tool invocation syntax. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced with tool selection followed by querying, but lacks validation checkpoints. No guidance on handling API errors, rate limits, or verifying results before proceeding to use EXPANDED_IOCS. | 2 / 3 |
Progressive Disclosure | For a skill of this scope (~70 lines), the content is well-organized with clear sections. Tables efficiently present reference information, and the structure allows quick scanning without needing external files. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.