secops-hunt
Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.
71
57%
Does it follow best practices?
Impact
97%
2.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/hunt/SKILL.mdQuality
Discovery
57%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a clear 'Use when' clause with explicit triggers, which is its main strength. However, the 'what' portion is vague ('expert guidance') and lacks concrete actions. There is also a typo ('threads' instead of 'threats') that could impair skill selection, and the trigger terms could be more comprehensive for the cybersecurity domain.
Suggestions
Replace 'Expert guidance for proactive threat hunting' with specific actions like 'Identifies suspicious patterns in logs, correlates indicators of compromise (IOCs), maps adversary behavior to MITRE ATT&CK TTPs, and develops detection hypotheses.'
Fix the typo 'threads' → 'threats' and expand trigger terms to include natural variations like 'indicators of compromise', 'MITRE ATT&CK', 'adversary techniques', 'suspicious activity', 'detection rules'.
Remove subjective fluff like 'Expert' which adds no discriminative value for skill selection.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for proactive threat hunting' which is vague and abstract. It does not list any concrete actions like 'analyze logs', 'correlate indicators', or 'search for anomalies'. 'Expert guidance' is fluff rather than a specific capability. | 1 / 3 |
Completeness | It does answer both 'what' (proactive threat hunting guidance) and 'when' (explicitly states 'Use this when the user asks to hunt for threats, IOCs, or specific TTPs'). The 'what' is weak/vague, but the 'when' clause is explicit with trigger conditions. | 3 / 3 |
Trigger Term Quality | Includes some relevant trigger terms like 'hunt', 'IOCs', and 'TTPs', which are terms a security analyst might use. However, it's missing common variations like 'threat intelligence', 'indicators of compromise', 'MITRE ATT&CK', 'adversary', 'malware', 'suspicious activity', or 'detection'. Also contains a typo ('threads' instead of 'threats') which could hurt matching. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'threat hunting', 'IOCs', and 'TTPs' provides some distinctiveness within a cybersecurity context, but 'expert guidance' is generic enough that it could overlap with other security-related skills like incident response, threat intelligence, or SIEM analysis. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a reasonably well-structured threat hunting skill with clear procedure separation and good use of external references. Its main weaknesses are incomplete actionability (abstract steps without concrete executable examples, especially for TTP hunting) and missing validation checkpoints in workflows that involve iterative investigation. The UDM query patterns for IOC lookups are a strong concrete element.
Suggestions
Add concrete, executable examples for tool invocations (e.g., exact udm_search call syntax with parameters) rather than just naming the tool
Include specific example UDM queries for the TTP hunt procedure (e.g., a complete query for T1003.001 detecting lsass.exe access) to match the concreteness of the IOC hunt queries
Add explicit validation checkpoints — e.g., after Phase 1, define criteria for what constitutes a 'confirmed IOC' before proceeding to Phase 2 deep investigation
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary framing ('You are an expert Threat Hunter') and could tighten certain sections. The tool selection preamble is useful but slightly verbose. Most content earns its place, though some descriptions could be more compact. | 2 / 3 |
Actionability | Provides concrete UDM query patterns for IOC lookups (IP, Domain, Hash, URL) and names specific tools, which is good. However, many steps remain at the level of 'do X' without executable examples (e.g., no concrete udm_search invocation syntax, no example command-line calls, no example report template). The TTP hunt section is particularly abstract ('Formulate UDM queries' without examples). | 2 / 3 |
Workflow Clarity | Both procedures have clear numbered sequences and logical phases. However, validation checkpoints are largely missing — there's no explicit verification that IOC matches are true positives before proceeding to Phase 2, and the TTP hunt loop mentions 'Analyze' and 'Refine' but lacks concrete criteria for when to stop or escalate. The refine/repeat loop is mentioned but not structured with explicit validation gates. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear section headers, multiple procedures separated logically, and a reference to an external file (TOOL_MAPPING.md) for tool details. The structure allows quick navigation between procedures without deeply nested references. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
c8d73ae
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.