respond-ransomware
Respond to a ransomware incident following PICERL methodology. Use when ransomware is detected or suspected. Orchestrates identification, containment, eradication, and recovery phases. Requires CASE_ID and initial indicators.
84
81%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose, methodology, and trigger conditions. It excels at specificity and completeness with explicit 'Use when' guidance. The main weakness is limited trigger term coverage - it could benefit from additional natural language terms users might use when experiencing a ransomware attack.
Suggestions
Add more natural trigger terms users might say during a ransomware incident, such as 'encrypted files', 'ransom note', 'files locked', 'crypto attack', or 'malware encryption'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'identification, containment, eradication, and recovery phases' and specifies the methodology (PICERL). Also mentions specific requirements (CASE_ID and initial indicators). | 3 / 3 |
Completeness | Clearly answers both what ('Respond to a ransomware incident following PICERL methodology, orchestrates identification, containment, eradication, and recovery') and when ('Use when ransomware is detected or suspected'). | 3 / 3 |
Trigger Term Quality | Includes 'ransomware' and 'incident' which are natural terms users would say, but missing common variations like 'encrypted files', 'ransom note', 'malware attack', 'crypto locker', or 'files locked'. | 2 / 3 |
Distinctiveness Conflict Risk | Very specific niche targeting ransomware incidents with a named methodology (PICERL). Unlikely to conflict with general security or incident response skills due to the ransomware-specific focus and required parameters. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable incident response skill with excellent workflow clarity and concrete tool commands. The PICERL structure provides clear sequencing with appropriate validation checkpoints. Main weaknesses are moderate verbosity in output tables and lack of progressive disclosure to external references for detailed content.
Suggestions
Move the detailed 'Required Outputs' tables to a separate OUTPUTS.md file and reference it, keeping only a brief summary in the main skill
Consider extracting the persistence mechanisms list and recovery options to a RANSOMWARE_REFERENCE.md file for cleaner progressive disclosure
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary structure like the detailed output tables that could be condensed. The PICERL methodology explanation and phase headers add overhead, though most content is actionable. | 2 / 3 |
Actionability | Provides concrete, executable commands with specific tool calls (secops-soar.get_case_full_details, gti-mcp.get_file_report, secops-mcp.search_security_events). Each step has clear actions with specific parameters and expected outputs. | 3 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear sequencing through PICERL phases. Includes explicit validation checkpoints (/confirm-action before isolation), verification steps (Step 3.4 verify containment), and critical warnings about not skipping containment for analysis. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear sections and a quick reference table, but everything is in one file. Some content like the detailed output tables and persistence mechanism lists could be referenced externally. No links to supporting documentation. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.