triage-suspicious-login
Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed.
Install with Tessl CLI
npx tessl i github:dandye/ai-runbooks --skill triage-suspicious-login86
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific capabilities (triaging login alerts, analyzing multiple data sources), includes natural trigger terms security analysts would use, explicitly states when to use it, and carves out a distinct niche in authentication anomaly investigation.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Triage suspicious login alerts', 'Analyzes user history, source IP reputation, login patterns', 'determines if escalation is needed'. Also specifies alert types: 'impossible travel, untrusted location, or multiple failures'. | 3 / 3 |
Completeness | Clearly answers both what ('Triage suspicious login alerts...Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed') AND when ('Use when investigating authentication anomalies') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'suspicious login', 'impossible travel', 'untrusted location', 'multiple failures', 'authentication anomalies', 'IP reputation', 'login patterns', 'escalation'. Good coverage of security/SOC terminology. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on login/authentication security alerts. The specific alert types (impossible travel, untrusted location, multiple failures) and analysis targets (IP reputation, login patterns) make it distinct from general security or monitoring skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured SOC triage skill with good organization and appropriate conciseness. The decision matrix and pattern detection sections add significant value. However, the actionability suffers from placeholder-style code rather than fully executable examples, and the workflow lacks explicit validation checkpoints and error handling guidance that would be important for security operations.
Suggestions
Replace placeholder variables in code examples with proper interpolation syntax or show complete executable examples (e.g., demonstrate actual variable substitution in the search query)
Add validation checkpoints after key steps, such as 'If no events found, check alert configuration' or 'If entity lookup returns empty, proceed with IP-only analysis'
Provide complete syntax for the referenced skills like `/enrich-ioc` and `/find-relevant-case` including all required parameters
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, avoiding explanations of concepts Claude already knows. Each section serves a clear purpose with no padding or unnecessary context about what suspicious logins are or how SOC operations work. | 3 / 3 |
Actionability | Provides concrete tool calls and commands, but some are pseudocode-like (e.g., `secops-soar.get_case_full_details(case_id=CASE_ID)` uses placeholder variables). The `/enrich-ioc` and `/find-relevant-case` references lack full syntax examples, and the search query uses a placeholder USER_ID in quotes rather than showing proper interpolation. | 2 / 3 |
Workflow Clarity | Steps are clearly sequenced and numbered, but lacks explicit validation checkpoints. No feedback loops for error recovery (e.g., what if entity lookup fails, what if no events found). For a security triage workflow involving potential account compromise, missing validation steps between enrichment and decision-making. | 2 / 3 |
Progressive Disclosure | Well-organized with clear sections (Inputs, Workflow, Outputs, Decision Matrix, Key Patterns). Content is appropriately structured for a single skill file without needing external references. The decision matrix and patterns sections provide quick-reference material without bloating the workflow. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.