secops-hunt
Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.
63
45%
Does it follow best practices?
Impact
97%
2.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/hunt/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a cybersecurity threat hunting domain and includes a 'Use when' clause with some relevant trigger terms, but it is undermined by vague capability language ('expert guidance'), a typo ('threads' instead of 'threats'), and a lack of concrete actions. It needs significantly more specificity about what the skill actually does and broader coverage of natural trigger terms.
Suggestions
Replace 'Expert guidance for proactive threat hunting' with specific actions like 'Searches logs for indicators of compromise (IOCs), maps adversary behavior to MITRE ATT&CK TTPs, and identifies anomalous patterns in network or endpoint data.'
Fix the typo 'threads' → 'threats' and expand trigger terms to include natural variations like 'threat intelligence', 'indicators of compromise', 'MITRE ATT&CK', 'suspicious activity', 'adversary techniques'.
Strengthen the 'Use when' clause to be more explicit, e.g., 'Use when the user asks to hunt for threats, investigate IOCs, search for adversary TTPs, or perform proactive security analysis on logs or telemetry data.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'Expert guidance for proactive threat hunting' which is vague and abstract. It does not list any concrete actions like 'analyze logs', 'correlate indicators', or 'search for anomalies'. The phrase 'expert guidance' is fluff rather than a specific capability. | 1 / 3 |
Completeness | It has a 'Use this when...' clause which addresses the 'when', but the 'what' portion is extremely weak — 'expert guidance' does not explain what the skill actually does. The 'when' clause partially compensates but the 'what' is essentially missing concrete detail. | 2 / 3 |
Trigger Term Quality | Includes some relevant trigger terms like 'hunt', 'IOCs', and 'TTPs', which are terms a security analyst would use. However, it contains a typo ('threads' instead of 'threats'), and is missing common variations like 'threat intelligence', 'indicators of compromise', 'MITRE ATT&CK', 'adversary behavior', 'log analysis', or 'suspicious activity'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'threat hunting', 'IOCs', and 'TTPs' narrows the domain to cybersecurity, which provides some distinctiveness. However, it could overlap with other security-related skills (e.g., incident response, threat intelligence analysis) since the description doesn't clearly delineate its specific niche. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a competent threat hunting skill with clear procedural structure and useful UDM query patterns for IOC searches. Its main weaknesses are incomplete actionability (many steps describe what to do abstractly rather than providing executable examples with concrete tool parameters) and missing validation checkpoints in the primary workflow. The tool selection guidance is practical but adds some verbosity.
Suggestions
Add concrete, copy-paste-ready tool invocation examples for key tools (e.g., exact parameters for `get_ioc_match`, `udm_search`, `list_cases`) rather than just naming them.
Add explicit validation checkpoints in the GTI Campaign workflow — e.g., after Phase 1, verify hits are true positives before proceeding to Phase 2 deep investigation.
Provide at least one concrete TTP hunt query example (e.g., a full UDM query for T1003.001 detecting lsass.exe access) instead of describing queries abstractly.
Either provide the referenced `TOOL_MAPPING.md` bundle file or inline the critical tool name mappings to ensure the skill is self-contained.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary framing ('You are an expert Threat Hunter') and explanatory text that Claude doesn't need. The tool selection section could be tighter, and some action descriptions are slightly verbose. | 2 / 3 |
Actionability | Provides concrete UDM query patterns for IOC lookups and names specific tools, which is good. However, many steps remain at the 'Action: do X' level without executable examples (e.g., no concrete tool invocation syntax, no example parameters for list_cases or summarize_entity). The TTP hunt queries are described abstractly ('e.g., specific process names, command lines') rather than giving concrete examples. | 2 / 3 |
Workflow Clarity | Multi-step workflows are clearly sequenced and numbered with distinct phases. However, validation checkpoints are missing — there's no explicit verification that IOC matches are true positives before deep investigation, no error handling for failed queries, and no feedback loop for the GTI campaign procedure (the TTP hunt has a refine/repeat loop, which is better). | 2 / 3 |
Progressive Disclosure | References `extensions/google-secops/TOOL_MAPPING.md` for tool mapping (good delegation), but no bundle files are provided to support this reference. The content is reasonably structured with multiple procedures, but the skill is moderately long and could benefit from splitting detailed query patterns or procedure details into separate referenced files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
fb807e9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.