respond-malware
Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis.
73
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a solid description that clearly defines its purpose and when to use it, with good distinctiveness from related skills. However, it could benefit from more specific concrete actions and broader trigger term coverage to capture natural user language variations like 'virus' or 'infected'.
Suggestions
Add more specific concrete actions like 'isolate infected hosts', 'collect forensic artifacts', 'remove malicious processes' to improve specificity.
Expand trigger terms to include common user language variations: 'virus', 'ransomware', 'infected computer', 'compromised system', 'security incident'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (malware incident response) and mentions PICERL methodology with phases (triage, containment, eradication, recovery), but doesn't list specific concrete actions like 'isolate infected hosts', 'collect forensic artifacts', or 'remove malicious files'. | 2 / 3 |
Completeness | Clearly answers both what ('Respond to a malware incident following PICERL methodology', 'Orchestrates triage, containment, eradication, and recovery') and when ('Use when malware is detected on endpoints') with an explicit trigger clause. | 3 / 3 |
Trigger Term Quality | Includes 'malware incident', 'malware detected', and 'endpoints' which are relevant, but misses common variations users might say like 'virus', 'infected computer', 'ransomware', 'compromised system', or 'security breach'. | 2 / 3 |
Distinctiveness Conflict Risk | Has a clear niche (malware incident response using PICERL) and explicitly distinguishes itself from the related 'triage-malware skill' by noting it orchestrates while the other handles analysis. Unlikely to conflict with other skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured incident response workflow with excellent phase sequencing and validation checkpoints. The main weaknesses are incomplete actionability in eradication/recovery phases (relying on placeholders rather than concrete commands) and a somewhat lengthy single-file format that could benefit from progressive disclosure to separate files.
Suggestions
Replace placeholder text like '*(Requires EDR/endpoint tools)*' with specific tool commands or at minimum document which MCP tools/APIs should be used for those operations
Add concrete code examples for eradication steps (e.g., specific EDR API calls for process termination, file deletion)
Consider splitting detailed phase instructions into separate files (e.g., CONTAINMENT.md, ERADICATION.md) and keeping SKILL.md as a navigation overview
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some redundancy (e.g., the quick reference table at the end largely duplicates the phase structure, and some explanatory text could be tighter). The tables and structured format help, but there's room to trim. | 2 / 3 |
Actionability | Provides concrete skill references (e.g., `/triage-malware`, `/confirm-action`) and some code snippets, but many steps are vague placeholders like '*(Requires EDR/endpoint tools)*' or 'Execute removal plan' without executable commands. The eradication and recovery phases lack specific tool invocations. | 2 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear PICERL phase sequencing, explicit validation checkpoints (Step 3.4 verify containment, Step 5.3 monitor recovered systems), decision tables for recovery strategy, and documentation requirements after each phase. The feedback loop for monitoring post-recovery is well-defined. | 3 / 3 |
Progressive Disclosure | References other skills appropriately (`/triage-malware`, `/respond-compromised-account`) but the content is somewhat monolithic. The skill could benefit from splitting detailed phase instructions into separate files while keeping SKILL.md as an overview with navigation links. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.