respond-phishing
Respond to a reported phishing email following PICERL methodology. Use when a phishing email is reported or detected. Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill respond-phishing81
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It clearly specifies the domain (phishing incident response), methodology (PICERL), concrete actions, and explicit trigger conditions. The description is concise yet comprehensive, using third-person voice and natural security terminology.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes' - these are clear, actionable capabilities. | 3 / 3 |
Completeness | Clearly answers both what ('Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, removes emails') AND when ('Use when a phishing email is reported or detected') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'phishing email', 'reported', 'detected', 'malicious IOCs', 'mailboxes'. These are terms security analysts would naturally use when dealing with phishing incidents. | 3 / 3 |
Distinctiveness Conflict Risk | Very specific niche - phishing incident response using PICERL methodology. The combination of 'phishing', 'PICERL', and specific actions like 'removes emails from mailboxes' makes this highly distinctive and unlikely to conflict with other security or email skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
62%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured incident response skill with excellent workflow clarity following the PICERL methodology. The main weaknesses are incomplete actionability (several steps describe what to do without providing executable commands) and moderate verbosity with some redundant content. The checklist and confirmation prompts for destructive actions are strong safety features.
Suggestions
Add concrete API calls or tool commands for email deletion/quarantine operations instead of noting 'Requires Email Gateway/Platform tools'
Provide specific commands for implementing blocks at email gateway, proxy, and firewall rather than just listing the systems
Remove or condense the phishing category definitions table - Claude already knows these distinctions
Consider moving the detailed Required Outputs tables to a separate reference file to reduce main document length
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some redundancy (outputs table duplicates information found in phases) and could be tightened. The structured tables and clear sections help, but some explanations like phishing category definitions are things Claude already knows. | 2 / 3 |
Actionability | Provides concrete tool calls and slash commands, but many steps lack executable specifics. For example, 'implement blocks at email gateway/web proxy/firewall/DNS' gives no actual commands or API calls. Email deletion step says 'Requires Email Gateway/Platform tools' without providing them. | 2 / 3 |
Workflow Clarity | Excellent multi-step workflow following PICERL methodology with clear phase sequencing. Includes verification steps (Step 3.4 'Verify Containment'), confirmation prompts before destructive actions, and a comprehensive checklist. Feedback loops are present for containment validation. | 3 / 3 |
Progressive Disclosure | References other skills appropriately (/respond-compromised-account, /respond-malware, /enrich-ioc) but the main document is quite long. The outputs tables at the top could be collapsed or moved to a reference file. No external documentation links for detailed procedures. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.