respond-phishing
Respond to a reported phishing email following PICERL methodology. Use when a phishing email is reported or detected. Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes.
79
75%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/respond-phishing/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly communicates its purpose, specific actions, and trigger conditions. It names a specific methodology (PICERL), lists concrete incident response actions, and includes an explicit 'Use when' clause with natural trigger terms. The description is concise yet comprehensive, making it easy for Claude to select appropriately from a large skill set.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes. Also names the specific methodology (PICERL). | 3 / 3 |
Completeness | Clearly answers both what ('Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes') and when ('Use when a phishing email is reported or detected') with an explicit trigger clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'phishing email', 'reported', 'detected', 'IOCs', 'malicious', 'mailboxes'. These are terms a security analyst would naturally use when dealing with a phishing incident. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: phishing email incident response using PICERL methodology. The combination of phishing-specific actions and the named methodology makes it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid phishing incident response runbook with clear phase-based structure and good use of external slash commands for modularity. Its main weaknesses are incomplete actionability (several steps describe what to do without specifying the actual tool/command), some redundancy between the outputs tables and the workflow steps, and missing validation/feedback loops for destructive operations like bulk email deletion.
Suggestions
Add specific tool calls for email deletion/quarantine steps (Phase 4) instead of generic instructions like 'Search all mailboxes for... Delete/quarantine identified emails'—specify the actual MCP tool or API call.
Add explicit validation and feedback loops for critical steps: what to do if IOC enrichment is inconclusive, how to verify email deletion succeeded, and how to handle partial containment failures.
Remove or consolidate the Required Outputs tables—they duplicate information already present in the workflow phases and add ~40 lines of redundant content.
Specify concrete verification steps in Phase 3.4 (e.g., a specific SIEM query to confirm no further connections to blocked IOCs) rather than the vague 'Monitor for continued activity.'
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably structured but includes some redundancy—the Required Outputs tables largely duplicate information that appears again in the PICERL phases. The input/output tables add length without adding much actionable value beyond what the workflow steps already convey. Some sections like the phishing category table explain concepts Claude likely already knows. | 2 / 3 |
Actionability | The skill provides concrete tool calls (secops-soar.get_case_full_details, secops-mcp.search_security_events) and references slash commands (/enrich-ioc, /confirm-action, /document-in-case), which is good. However, many steps are vague directives like 'implement blocks at email gateway/web proxy/firewall/DNS' and 'Search all mailboxes for... Delete/quarantine identified emails' without specifying actual tool calls or commands to accomplish these actions. | 2 / 3 |
Workflow Clarity | The PICERL phases provide a clear sequence, and the checklist at the end is helpful. However, validation checkpoints are weak—Step 3.4 says 'Monitor for continued activity' without specifying how, and there are no explicit feedback loops for error recovery (e.g., what to do if IOC enrichment returns inconclusive results, or if email deletion fails). The /confirm-action gates are good but insufficient for a destructive workflow involving email deletion across all mailboxes. | 2 / 3 |
Progressive Disclosure | The skill references external slash commands (/enrich-ioc, /respond-compromised-account, /respond-malware, /generate-report, /check-duplicates) which is good progressive disclosure. However, the skill itself is quite long (~180 lines) and the Required Outputs section could be collapsed or moved to a reference file. The inline content is well-sectioned but could benefit from separating the detailed phase instructions into linked files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.