respond-phishing

Respond to a reported phishing email following PICERL methodology. Use when a phishing email is reported or detected. Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes.

Quality

75%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/respond-phishing/SKILL.md

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid phishing incident response runbook with clear phase-based structure and good use of external slash commands for modularity. Its main weaknesses are incomplete actionability (several steps describe what to do without specifying the actual tool/command), some redundancy between the outputs tables and the workflow steps, and missing validation/feedback loops for destructive operations like bulk email deletion.

Suggestions

Add specific tool calls for email deletion/quarantine steps (Phase 4) instead of generic instructions like 'Search all mailboxes for... Delete/quarantine identified emails'—specify the actual MCP tool or API call.

Add explicit validation and feedback loops for critical steps: what to do if IOC enrichment is inconclusive, how to verify email deletion succeeded, and how to handle partial containment failures.

Remove or consolidate the Required Outputs tables—they duplicate information already present in the workflow phases and add ~40 lines of redundant content.

Specify concrete verification steps in Phase 3.4 (e.g., a specific SIEM query to confirm no further connections to blocked IOCs) rather than the vague 'Monitor for continued activity.'

Dimension	Reasoning	Score
Conciseness	The skill is reasonably structured but includes some redundancy—the Required Outputs tables largely duplicate information that appears again in the PICERL phases. The input/output tables add length without adding much actionable value beyond what the workflow steps already convey. Some sections like the phishing category table explain concepts Claude likely already knows.	2 / 3
Actionability	The skill provides concrete tool calls (secops-soar.get_case_full_details, secops-mcp.search_security_events) and references slash commands (/enrich-ioc, /confirm-action, /document-in-case), which is good. However, many steps are vague directives like 'implement blocks at email gateway/web proxy/firewall/DNS' and 'Search all mailboxes for... Delete/quarantine identified emails' without specifying actual tool calls or commands to accomplish these actions.	2 / 3
Workflow Clarity	The PICERL phases provide a clear sequence, and the checklist at the end is helpful. However, validation checkpoints are weak—Step 3.4 says 'Monitor for continued activity' without specifying how, and there are no explicit feedback loops for error recovery (e.g., what to do if IOC enrichment returns inconclusive results, or if email deletion fails). The /confirm-action gates are good but insufficient for a destructive workflow involving email deletion across all mailboxes.	2 / 3
Progressive Disclosure	The skill references external slash commands (/enrich-ioc, /respond-compromised-account, /respond-malware, /generate-report, /check-duplicates) which is good progressive disclosure. However, the skill itself is quite long (~180 lines) and the Required Outputs section could be collapsed or moved to a reference file. The inline content is well-sectioned but could benefit from separating the detailed phase instructions into linked files.	2 / 3
	Total	8 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description that clearly communicates its purpose, specific actions, and trigger conditions. It names a specific methodology (PICERL), lists concrete incident response actions, and includes an explicit 'Use when' clause with natural trigger terms. The description is concise yet comprehensive, making it easy for Claude to select appropriately from a large skill set.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes. Also names the specific methodology (PICERL).	3 / 3
Completeness	Clearly answers both what ('Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes') and when ('Use when a phishing email is reported or detected') with an explicit trigger clause.	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would say: 'phishing email', 'reported', 'detected', 'IOCs', 'malicious', 'mailboxes'. These are terms a security analyst would naturally use when dealing with a phishing incident.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche: phishing email incident response using PICERL methodology. The combination of phishing-specific actions and the named methodology makes it very unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.