triage-alert

Triage a security alert or case. Use when given an ALERT_ID or CASE_ID to assess if it's a real threat. Enriches IOCs, searches SIEM for context, and determines if the alert should be closed (false positive) or escalated for investigation.

Quality

85%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

70%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured security triage skill with excellent workflow clarity and progressive disclosure. Its main weaknesses are moderate verbosity (explaining classifications Claude likely knows, duplicating tool lists) and actionability gaps where tool invocations are described rather than shown with exact syntax and parameters. The overall organization and decision framework are strong.

Suggestions

Replace pseudocode tool descriptions with exact invocation examples showing real parameter values, e.g., `search_security_events(query='user:jdoe AND event_type:login', time_range='2h')` instead of prose descriptions.

Remove the Quick Reference section's tool list duplication by consolidating tool references into the workflow steps where they're used, or vice versa, to save tokens.

Dimension	Reasoning	Score
Conciseness	The skill is mostly efficient but includes some unnecessary verbosity, such as the table in Step 5 explaining classifications that a security-trained Claude would already know, and some redundancy between the workflow steps and the Quick Reference section listing the same tools again.	2 / 3
Actionability	The skill provides specific tool names and function signatures which is helpful, but the code blocks are pseudocode-style descriptions rather than executable commands. Key details like exact query syntax for SIEM searches or specific parameter formats are missing, leaving Claude to infer implementation details.	2 / 3
Workflow Clarity	The 6-step workflow is clearly sequenced with logical progression from gathering context → searching → enriching → assessing → acting. It includes explicit decision points (the classification table leading to different actions), validation through enrichment cross-referencing, and clear branching for close vs. escalate paths with specific closure reasons and escalation runbooks.	3 / 3
Progressive Disclosure	The skill provides a clear overview with well-organized sections, a quick reference for tool lookup, and appropriately references external files (reference.md for detailed diagrams/criteria) and related skills (/check-duplicates, /full-triage-alert) without nesting references deeply.	3 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly defines what the skill does (triages security alerts by enriching IOCs, searching SIEM, and making escalation decisions) and when to use it (when given an ALERT_ID or CASE_ID). It uses domain-appropriate terminology that security analysts would naturally use, and its specificity makes it highly distinguishable from other skills.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: triage a security alert/case, enrich IOCs, search SIEM for context, determine if alert should be closed as false positive or escalated for investigation.	3 / 3
Completeness	Clearly answers both what ('Triage a security alert or case. Enriches IOCs, searches SIEM for context, determines if alert should be closed or escalated') and when ('Use when given an ALERT_ID or CASE_ID to assess if it's a real threat').	3 / 3
Trigger Term Quality	Includes strong natural trigger terms users would say: 'security alert', 'ALERT_ID', 'CASE_ID', 'triage', 'IOCs', 'SIEM', 'false positive', 'escalated', 'real threat'. These cover the domain vocabulary well.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with a clear niche in security alert triage. The specific triggers (ALERT_ID, CASE_ID, IOCs, SIEM, false positive, escalation) make it very unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.