respond-compromised-account
Respond to a potentially compromised user account. Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise. Investigates activity, contains the account, removes persistence, and restores access.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill respond-compromised-account95
Does it follow best practices?
Validation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It clearly defines the security incident response domain, provides specific trigger scenarios that security analysts would naturally reference, and outlines concrete remediation actions. The description effectively distinguishes itself from other potential security skills through its focus on account compromise specifically.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Investigates activity, contains the account, removes persistence, and restores access.' These are clear, actionable steps in an incident response workflow. | 3 / 3 |
Completeness | Clearly answers both what ('Investigates activity, contains the account, removes persistence, and restores access') and when ('Use when impossible travel, credential stuffing, successful phishing, or suspicious activity indicates account compromise') with explicit trigger scenarios. | 3 / 3 |
Trigger Term Quality | Includes natural security terms users would say: 'compromised user account', 'impossible travel', 'credential stuffing', 'successful phishing', 'suspicious activity', 'account compromise'. These are standard security terminology that analysts would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on compromised user accounts with distinct security-specific triggers (impossible travel, credential stuffing, phishing). Unlikely to conflict with general IT or other security skills due to the specific incident type and response actions. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality incident response skill with excellent actionability and workflow clarity. The PICERL structure provides clear sequencing with validation checkpoints, and the decision matrices offer concrete guidance. The main weakness is that the document is fairly long and could benefit from progressive disclosure by linking to separate detailed phase documents.
Suggestions
Consider splitting detailed phase content (Identification, Containment, Eradication, Recovery) into separate linked files to improve progressive disclosure
Add explicit links to the slash command documentation referenced throughout (e.g., /check-duplicates, /document-in-case, /confirm-action)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables and structured formats to convey information without explaining concepts Claude already knows. No unnecessary explanations of what account compromise is or how SIEM tools work. | 3 / 3 |
Actionability | Provides concrete, executable code snippets for SIEM queries, specific tool calls with parameters, and clear decision matrices. The containment decision matrix and persistence mechanism tables give copy-paste ready guidance. | 3 / 3 |
Workflow Clarity | Excellent multi-step workflow following PICERL phases with explicit validation checkpoints (Step 3.3 verify containment, Step 5.1 ensure threat removed). Includes feedback loops and clear sequencing with numbered steps within each phase. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear sections and tables, but it's a monolithic document. References to slash commands (/check-duplicates, /document-in-case) suggest external resources exist but aren't clearly linked. Could benefit from splitting detailed phase content into separate files. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.