respond-compromised-account
Respond to a potentially compromised user account. Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise. Investigates activity, contains the account, removes persistence, and restores access.
96
96%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It clearly defines the security incident response domain, provides specific trigger scenarios that security analysts would naturally reference, and outlines concrete remediation actions. The description effectively distinguishes itself from other potential security skills through its focus on account compromise specifically.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Investigates activity, contains the account, removes persistence, and restores access.' These are clear, actionable steps in an incident response workflow. | 3 / 3 |
Completeness | Clearly answers both what ('Investigates activity, contains the account, removes persistence, and restores access') and when ('Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise') with explicit trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes natural security terms users would say: 'compromised user account', 'impossible travel', 'credential stuffing', 'successful phishing', 'suspicious activity', 'account compromise'. These are standard security terminology that analysts would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on compromised user accounts with distinct security-specific triggers (impossible travel, credential stuffing, phishing). Unlikely to conflict with general IT or other security skills due to the specific incident type and response actions. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality incident response skill with excellent actionability and workflow clarity. The PICERL structure provides clear sequencing with validation checkpoints, and the decision matrices offer concrete guidance. The main weakness is that slash commands are referenced without explanation of where they're defined, and the document could benefit from clearer navigation to related resources.
Suggestions
Add a brief section explaining or linking to the slash commands (/check-duplicates, /confirm-action, /document-in-case, etc.) so Claude knows where these are defined
Consider splitting the detailed phase content into separate files (e.g., CONTAINMENT.md, ERADICATION.md) with SKILL.md serving as an overview with clear links
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables and structured sections to convey information without explaining concepts Claude already knows. No unnecessary padding or explanations of basic security concepts. | 3 / 3 |
Actionability | Provides concrete, executable code snippets for SIEM queries, specific tool calls with parameters, and clear decision matrices. The guidance is copy-paste ready with actual function calls and parameters. | 3 / 3 |
Workflow Clarity | Excellent multi-step workflow following PICERL model with explicit phases, numbered steps, verification checkpoints (Step 3.3 verify containment), and clear decision points requiring analyst confirmation before destructive actions. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear sections and tables, but it's a monolithic document. References to slash commands (/check-duplicates, /confirm-action) suggest external resources exist but aren't clearly linked or explained. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.