triage-suspicious-login
Triage suspicious login alerts like impossible travel, untrusted location, or multiple failures. Use when investigating authentication anomalies. Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed.
79
75%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/triage-suspicious-login/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly defines its scope in security alert triage for authentication anomalies. It provides specific concrete actions, includes an explicit 'Use when' clause, and uses natural trigger terms that security analysts would employ. The description is concise yet comprehensive, covering both the what and when effectively.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: triage suspicious login alerts, analyzes user history, source IP reputation, login patterns, and determines escalation need. Also names specific alert types like impossible travel, untrusted location, and multiple failures. | 3 / 3 |
Completeness | Clearly answers both what ('Triage suspicious login alerts... Analyzes user history, source IP reputation, login patterns, and determines if escalation is needed') and when ('Use when investigating authentication anomalies') with an explicit trigger clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'suspicious login', 'impossible travel', 'untrusted location', 'multiple failures', 'authentication anomalies', 'IP reputation', 'login patterns', 'escalation'. These cover a good range of terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly specific niche focused on authentication/login security triage. The combination of suspicious login alerts, impossible travel, IP reputation, and escalation determination creates a distinct identity unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid SOC triage skill with a clear multi-step workflow, specific tool calls, and useful decision matrices. However, it lacks validation checkpoints between steps, has inconsistent tool invocation formats (some use function syntax, others use slash-commands), and includes pattern explanations that Claude likely already knows. Adding error handling guidance and standardizing the tool call format would significantly improve it.
Suggestions
Standardize all tool invocations to use consistent syntax—either function call format or slash-command format, not both. Show complete, copy-paste-ready calls for Steps 4 and 7.
Add explicit validation checkpoints after key steps (e.g., 'If entity lookup returns no results, note as new/unknown entity and increase risk score' or 'If IP enrichment fails, proceed with SIEM-only data').
Remove or significantly condense the 'Key Patterns to Detect' section—Claude already understands impossible travel, credential stuffing, and account takeover concepts. Keep only project-specific detection thresholds or tool-specific queries.
Consider splitting the decision matrix and pattern detection guidance into a referenced file (e.g., DECISION_GUIDE.md) to keep the main skill focused on the executable workflow.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and avoids explaining basic concepts, but includes some sections that could be tightened—e.g., the 'Key Patterns to Detect' section explains what impossible travel and credential stuffing are, which Claude already knows. The decision matrix and pattern descriptions add some value but are partially redundant. | 2 / 3 |
Actionability | Provides specific tool calls and function signatures which is good, but several steps use inconsistent formats—some reference slash-commands like `/enrich-ioc` and `/find-relevant-case` without showing the actual function call syntax, and the search query uses a placeholder 'USER_ID' inside a string literal without clarifying interpolation. Step 4 and Step 7 lack executable call syntax. | 2 / 3 |
Workflow Clarity | The 9-step workflow is clearly sequenced and logically ordered, but there are no validation checkpoints or feedback loops. There's no guidance on what to do if a tool call fails, if entity lookup returns nothing, or if data is incomplete. For a triage workflow that leads to escalation decisions, missing verification steps (e.g., confirming enrichment data before making a verdict) is a gap. | 2 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and tables, but it's a fairly long monolithic document. The 'Key Patterns to Detect' section and the decision matrix could be split into referenced files. There are no references to external files for deeper guidance on specific alert types or tool usage. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- dandye/ai-runbooks
- Commit
086cbf6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.