respond-malware
Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis.
74
68%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/respond-malware/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has good structure with explicit 'Use when' guidance and clear differentiation from related skills. However, it could be stronger by listing more specific concrete actions beyond methodology phases and including more natural trigger terms that users might actually say when reporting malware issues.
Suggestions
Add specific concrete actions like 'isolate infected hosts', 'collect memory dumps', 'remove malicious processes', 'restore from clean backups' instead of just methodology phases.
Expand trigger terms to include common user language: 'virus', 'infected', 'compromised', 'ransomware', 'suspicious process', 'security incident'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (malware incident response) and mentions PICERL methodology with phases (triage, containment, eradication, recovery), but doesn't list specific concrete actions like 'isolate infected hosts', 'collect forensic artifacts', or 'remove malicious files'. | 2 / 3 |
Completeness | Clearly answers both what ('Respond to a malware incident following PICERL methodology, orchestrates triage, containment, eradication, and recovery') and when ('Use when malware is detected on endpoints') with an explicit trigger clause. | 3 / 3 |
Trigger Term Quality | Includes 'malware', 'incident', and 'endpoints' which are relevant, but misses common variations users might say like 'virus', 'infected', 'compromised', 'ransomware', 'trojan', or 'security breach'. | 2 / 3 |
Distinctiveness Conflict Risk | Has a clear niche (malware incident response using PICERL) and explicitly distinguishes itself from the related 'triage-malware skill' for analysis, making it unlikely to conflict with other security or incident skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured incident response workflow with excellent phase sequencing and validation checkpoints. However, it suffers from incomplete actionability in eradication/recovery phases where actual commands are replaced with placeholders, and the monolithic structure could benefit from progressive disclosure to separate detailed phase instructions.
Suggestions
Replace placeholder steps like '*(Requires EDR/endpoint tools)*' with concrete tool-specific commands or at minimum specify which MCP tools/actions to use
Add specific EDR remediation commands for common persistence mechanisms (scheduled tasks, services, registry keys) rather than just listing what to remove
Consider splitting detailed phase instructions into separate files (e.g., CONTAINMENT.md, ERADICATION.md) with this file serving as the orchestration overview
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some redundancy (e.g., the quick reference table at the end largely duplicates the phase structure, and some explanatory text could be tighter). The tables and structured format help, but there's room to trim. | 2 / 3 |
Actionability | Provides concrete skill references (e.g., `/triage-malware`, `/confirm-action`) and some code snippets, but many steps are vague placeholders like '*(Requires EDR/endpoint tools)*' or 'Execute removal plan' without executable commands. The actual remediation steps lack specificity. | 2 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear PICERL phase sequencing, explicit validation checkpoints (Step 3.4 verify containment, Step 5.3 monitor recovered systems), decision tables for recovery strategy, and confirmation gates before destructive actions via `/confirm-action`. | 3 / 3 |
Progressive Disclosure | References other skills appropriately (`/triage-malware`, `/respond-compromised-account`) but all content is inline in one file. The detailed phase instructions could benefit from being split into separate files with this serving as an overview, especially given the length. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.