respond-ransomware
Respond to a ransomware incident following PICERL methodology. Use when ransomware is detected or suspected. Orchestrates identification, containment, eradication, and recovery phases. Requires CASE_ID and initial indicators.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill respond-ransomware83
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
85%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its purpose, methodology, and trigger conditions. It excels at specificity and completeness with explicit 'Use when' guidance. The main weakness is limited trigger term coverage - it could benefit from additional natural language terms users might use when experiencing a ransomware attack.
Suggestions
Add more natural trigger terms users might say during a ransomware incident, such as 'encrypted files', 'ransom note', 'files locked', 'crypto attack', or 'malware encryption'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'identification, containment, eradication, and recovery phases' and specifies the methodology (PICERL). Also mentions specific requirements (CASE_ID and initial indicators). | 3 / 3 |
Completeness | Clearly answers both what ('Respond to a ransomware incident following PICERL methodology, orchestrates identification, containment, eradication, and recovery') and when ('Use when ransomware is detected or suspected'). | 3 / 3 |
Trigger Term Quality | Includes 'ransomware' and 'incident' which are natural terms users would say, but missing common variations like 'encrypted files', 'ransom note', 'malware attack', 'crypto locker', or 'files locked'. | 2 / 3 |
Distinctiveness Conflict Risk | Very specific niche targeting ransomware incidents with a named methodology (PICERL). Unlikely to conflict with general security or incident response skills due to the ransomware-specific focus and required parameters. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong incident response skill with excellent actionability and workflow clarity. The PICERL methodology is well-implemented with concrete tool calls, validation checkpoints, and clear sequencing. The main weaknesses are moderate verbosity in the output tables and a monolithic structure that could benefit from splitting detailed phase content into separate files.
Suggestions
Condense the Required Outputs tables into a more compact format or move to a separate OUTPUTS.md reference file
Consider splitting detailed phase content (especially Recovery and Eradication) into separate files with the main SKILL.md providing an overview and links
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary structure like the detailed output tables that could be condensed. The PICERL methodology explanation and phase headers add overhead, though the actual instructions are fairly lean. | 2 / 3 |
Actionability | Provides concrete, executable commands with specific tool calls (secops-soar.get_case_full_details, gti-mcp.get_file_report, secops-mcp.search_security_events). Each step has clear actions with specific parameters and expected outputs. | 3 / 3 |
Workflow Clarity | Excellent multi-step workflow with clear sequencing through PICERL phases. Includes explicit validation checkpoints (/confirm-action before isolation), verification steps (Step 3.4 verify containment), and critical warnings about not skipping containment. Feedback loops are present for monitoring and validation. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear phase sections and a quick reference table, but everything is in a single monolithic file. Complex phases like Recovery could benefit from separate detailed guides. References to other skills (/respond-compromised-account) are present but inline content is extensive. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.