secops-hunt
Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.
71
57%
Does it follow best practices?
Impact
97%
2.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/hunt/SKILL.mdQuality
Discovery
57%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a clear 'Use when' clause with explicit triggers, which is its main strength. However, the 'what' portion is vague ('expert guidance') without listing concrete actions, and there is a typo ('threads' instead of 'threats') that could impair matching. The trigger terms cover some key cybersecurity vocabulary but miss common variations.
Suggestions
Replace 'Expert guidance for proactive threat hunting' with specific concrete actions, e.g., 'Searches logs and telemetry for indicators of compromise (IOCs), maps suspicious activity to MITRE ATT&CK TTPs, and develops threat hunting hypotheses.'
Fix the typo 'threads' → 'threats' in the Use when clause, and expand trigger terms to include variations like 'indicators of compromise', 'MITRE ATT&CK', 'adversary techniques', 'suspicious activity', 'compromise assessment'.
Add more specificity about what outputs or deliverables the skill produces (e.g., 'generates hunting queries, identifies anomalous patterns, produces investigation reports').
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for proactive threat hunting' which is vague and abstract. It does not list any concrete actions like 'search logs for indicators of compromise', 'correlate events across data sources', or 'map activity to MITRE ATT&CK techniques'. 'Expert guidance' is fluff. | 1 / 3 |
Completeness | It does answer both 'what' (proactive threat hunting guidance) and 'when' (explicitly states 'Use this when the user asks to hunt for threats, IOCs, or specific TTPs'). The 'what' is weak/vague, but the 'when' clause is explicit with trigger conditions. | 3 / 3 |
Trigger Term Quality | Includes some relevant terms like 'hunt', 'IOCs', and 'TTPs' which users in cybersecurity would naturally use. However, it has a typo ('threads' instead of 'threats'), and is missing common variations like 'threat intelligence', 'indicators of compromise', 'MITRE ATT&CK', 'adversary', 'malware', 'suspicious activity', or 'compromise assessment'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'threat hunting', 'IOCs', and 'TTPs' provides some distinctiveness within a cybersecurity context, but 'expert guidance' is generic enough that it could overlap with other security-related skills like incident response, threat intelligence analysis, or security monitoring. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a solid structural framework for threat hunting with clear procedure selection, tool adaptation guidance, and concrete UDM query patterns. Its main weaknesses are the lack of fully executable examples (tool invocations with complete parameters) and missing validation/verification checkpoints in workflows that involve iterative searching and case creation. The progressive disclosure and organization are strong points.
Suggestions
Add complete, executable tool invocation examples (e.g., exact parameters for `udm_search`, `get_ioc_match`) rather than just naming the tools at each step.
Add explicit validation checkpoints after key phases—e.g., 'Verify at least one IOC returned results before proceeding to Phase 2' and 'Confirm findings with analyst before creating/updating a case.'
Remove the opening persona statement ('You are an expert Threat Hunter') as it wastes tokens on something Claude already understands from context.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary framing ('You are an expert Threat Hunter') and could tighten certain sections. The tool selection preamble is useful but slightly verbose. Most content earns its place. | 2 / 3 |
Actionability | Provides concrete UDM query patterns for IOC lookups and names specific tools, which is good. However, many steps remain at the 'Action: do X' level without fully executable examples (e.g., no complete tool invocation syntax, no example parameters for udm_search or list_cases). | 2 / 3 |
Workflow Clarity | Multi-step workflows are clearly sequenced and numbered with distinct phases. However, validation checkpoints are largely absent—there's no explicit verification step after IOC searches, no error handling for failed queries, and no feedback loop for confirming results before proceeding to synthesis or escalation. | 2 / 3 |
Progressive Disclosure | Content is well-structured with clear sections for different procedures, references TOOL_MAPPING.md for detailed tool information, and keeps each procedure at an appropriate level of detail. Navigation between sections is straightforward with no deeply nested references. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
9774ce8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.