triage-alert
Triage a security alert or case. Use when given an ALERT_ID or CASE_ID to assess if it's a real threat. Enriches IOCs, searches SIEM for context, and determines if the alert should be closed (false positive) or escalated for investigation.
99
100%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its purpose (security alert triage), specifies concrete actions (enrich IOCs, search SIEM, determine disposition), and provides explicit trigger conditions (ALERT_ID or CASE_ID). The description uses appropriate third-person voice and includes domain-specific terminology that security analysts would naturally use.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Triage a security alert or case', 'Enriches IOCs', 'searches SIEM for context', 'determines if the alert should be closed (false positive) or escalated for investigation'. | 3 / 3 |
Completeness | Clearly answers both what ('Triage a security alert or case', 'Enriches IOCs, searches SIEM for context') AND when ('Use when given an ALERT_ID or CASE_ID to assess if it's a real threat') with explicit triggers. | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'security alert', 'ALERT_ID', 'CASE_ID', 'threat', 'IOCs', 'SIEM', 'false positive', 'escalated', 'investigation'. Good coverage of security operations terminology. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche in security alert triage with distinct triggers like ALERT_ID, CASE_ID, IOCs, SIEM, and false positive/escalation workflow. Unlikely to conflict with other skills due to specific security operations domain. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
100%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is an excellent skill that demonstrates best practices for security alert triage documentation. It provides concrete, actionable guidance with specific tool calls, clear decision criteria in table format, and well-organized workflow steps. The skill respects Claude's intelligence by avoiding basic security concept explanations while providing the specific procedural knowledge needed.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, avoiding explanations of basic security concepts Claude already knows. Every section serves a purpose with no padding or unnecessary context. | 3 / 3 |
Actionability | Provides specific tool names, function calls with parameters, and concrete decision criteria in a table format. The workflow is copy-paste ready with exact tool invocations like `get_case_full_details(case_id)` and `search_security_events`. | 3 / 3 |
Workflow Clarity | Clear 6-step sequence with explicit decision points (Step 5 classification table) and conditional actions (Step 6 branching based on classification). Includes validation through the assessment criteria and clear escalation paths. | 3 / 3 |
Progressive Disclosure | Well-structured with a quick reference section for tool lookup, clear section headers, and appropriate reference to external file (reference.md) for detailed diagrams. Content is appropriately split between overview and detail. | 3 / 3 |
Total | 12 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
4d132c7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.