triage-alert
Triage a security alert or case. Use when given an ALERT_ID or CASE_ID to assess if it's a real threat. Enriches IOCs, searches SIEM for context, and determines if the alert should be closed (false positive) or escalated for investigation.
87
85%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines what the skill does (triages security alerts by enriching IOCs, searching SIEM, and making escalation decisions) and when to use it (when given an ALERT_ID or CASE_ID). It uses domain-appropriate terminology that security analysts would naturally use, and its specificity makes it highly distinguishable from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: triage a security alert/case, enrich IOCs, search SIEM for context, determine if alert should be closed as false positive or escalated for investigation. | 3 / 3 |
Completeness | Clearly answers both what ('Triage a security alert or case. Enriches IOCs, searches SIEM for context, determines if alert should be closed or escalated') and when ('Use when given an ALERT_ID or CASE_ID to assess if it's a real threat'). | 3 / 3 |
Trigger Term Quality | Includes strong natural trigger terms users would say: 'security alert', 'ALERT_ID', 'CASE_ID', 'triage', 'IOCs', 'SIEM', 'false positive', 'escalated', 'real threat'. These cover the domain vocabulary well. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in security alert triage. The specific triggers (ALERT_ID, CASE_ID, IOCs, SIEM, false positive, escalation) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
70%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured security triage skill with excellent workflow clarity and progressive disclosure. Its main weaknesses are moderate verbosity (explaining classifications Claude likely knows, duplicating tool lists) and actionability gaps where tool invocations are described rather than shown with exact syntax and parameters. The overall organization and decision framework are strong.
Suggestions
Replace pseudocode tool descriptions with exact invocation examples showing real parameter values, e.g., `search_security_events(query='user:jdoe AND event_type:login', time_range='2h')` instead of prose descriptions.
Remove the Quick Reference section's tool list duplication by consolidating tool references into the workflow steps where they're used, or vice versa, to save tokens.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient but includes some unnecessary verbosity, such as the table in Step 5 explaining classifications that a security-trained Claude would already know, and some redundancy between the workflow steps and the Quick Reference section listing the same tools again. | 2 / 3 |
Actionability | The skill provides specific tool names and function signatures which is helpful, but the code blocks are pseudocode-style descriptions rather than executable commands. Key details like exact query syntax for SIEM searches or specific parameter formats are missing, leaving Claude to infer implementation details. | 2 / 3 |
Workflow Clarity | The 6-step workflow is clearly sequenced with logical progression from gathering context → searching → enriching → assessing → acting. It includes explicit decision points (the classification table leading to different actions), validation through enrichment cross-referencing, and clear branching for close vs. escalate paths with specific closure reasons and escalation runbooks. | 3 / 3 |
Progressive Disclosure | The skill provides a clear overview with well-organized sections, a quick reference for tool lookup, and appropriately references external files (reference.md for detailed diagrams/criteria) and related skills (/check-duplicates, /full-triage-alert) without nesting references deeply. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.