triage-suspicious-login

Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed.

Quality

75%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./skills/triage-suspicious-login/SKILL.md

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid SOC triage skill with a clear multi-step workflow, specific tool calls, and useful decision matrices. However, it lacks validation checkpoints between steps, has inconsistent tool invocation formats (some use function syntax, others use slash-commands), and includes pattern explanations that Claude likely already knows. Adding error handling guidance and standardizing the tool call format would significantly improve it.

Suggestions

Standardize all tool invocations to use consistent syntax—either function call format or slash-command format, not both. Show complete, copy-paste-ready calls for Steps 4 and 7.

Add explicit validation checkpoints after key steps (e.g., 'If entity lookup returns no results, note as new/unknown entity and increase risk score' or 'If IP enrichment fails, proceed with SIEM-only data').

Remove or significantly condense the 'Key Patterns to Detect' section—Claude already understands impossible travel, credential stuffing, and account takeover concepts. Keep only project-specific detection thresholds or tool-specific queries.

Consider splitting the decision matrix and pattern detection guidance into a referenced file (e.g., DECISION_GUIDE.md) to keep the main skill focused on the executable workflow.

Dimension	Reasoning	Score
Conciseness	The skill is mostly efficient and avoids explaining basic concepts, but includes some sections that could be tightened—e.g., the 'Key Patterns to Detect' section explains what impossible travel and credential stuffing are, which Claude already knows. The decision matrix and pattern descriptions add some value but are partially redundant.	2 / 3
Actionability	Provides specific tool calls and function signatures which is good, but several steps use inconsistent formats—some reference slash-commands like `/enrich-ioc` and `/find-relevant-case` without showing the actual function call syntax, and the search query uses a placeholder 'USER_ID' inside a string literal without clarifying interpolation. Step 4 and Step 7 lack executable call syntax.	2 / 3
Workflow Clarity	The 9-step workflow is clearly sequenced and logically ordered, but there are no validation checkpoints or feedback loops. There's no guidance on what to do if a tool call fails, if entity lookup returns nothing, or if data is incomplete. For a triage workflow that leads to escalation decisions, missing verification steps (e.g., confirming enrichment data before making a verdict) is a gap.	2 / 3
Progressive Disclosure	The content is well-structured with clear headers and tables, but it's a fairly long monolithic document. The 'Key Patterns to Detect' section and the decision matrix could be split into referenced files. There are no references to external files for deeper guidance on specific alert types or tool usage.	2 / 3
	Total	8 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a well-crafted skill description that clearly defines its scope in security alert triage for authentication anomalies. It provides specific concrete actions, includes an explicit 'Use when' clause, and uses natural trigger terms that security analysts would employ. The description is concise yet comprehensive, covering both the what and when effectively.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: triage suspicious login alerts, analyzes user history, source IP reputation, login patterns, and determines escalation need. Also names specific alert types like impossible travel, untrusted location, and multiple failures.	3 / 3
Completeness	Clearly answers both what ('Triage suspicious login alerts... Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed') and when ('Use when investigating authentication anomalies') with an explicit trigger clause.	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'suspicious login', 'impossible travel', 'untrusted location', 'multiple failures', 'authentication anomalies', 'IP reputation', 'login patterns', 'escalation'. These cover a good range of terms a security analyst would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly specific niche focused on authentication/login security triage. The combination of suspicious login alerts, impossible travel, IP reputation, and escalation determination creates a distinct identity unlikely to conflict with other skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.