secops-hunt

Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.

2.02x

Quality

45%

Does it follow best practices?

Impact

97%

2.02x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./extensions/google-secops/skills/hunt/SKILL.md

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a competent threat hunting skill with clear procedural structure and useful UDM query patterns for IOC searches. Its main weaknesses are incomplete actionability (many steps describe what to do abstractly rather than providing executable examples with concrete tool parameters) and missing validation checkpoints in the primary workflow. The tool selection guidance is practical but adds some verbosity.

Suggestions

Add concrete, copy-paste-ready tool invocation examples for key tools (e.g., exact parameters for `get_ioc_match`, `udm_search`, `list_cases`) rather than just naming them.

Add explicit validation checkpoints in the GTI Campaign workflow — e.g., after Phase 1, verify hits are true positives before proceeding to Phase 2 deep investigation.

Provide at least one concrete TTP hunt query example (e.g., a full UDM query for T1003.001 detecting lsass.exe access) instead of describing queries abstractly.

Either provide the referenced `TOOL_MAPPING.md` bundle file or inline the critical tool name mappings to ensure the skill is self-contained.

Dimension	Reasoning	Score
Conciseness	Generally efficient but includes some unnecessary framing ('You are an expert Threat Hunter') and explanatory text that Claude doesn't need. The tool selection section could be tighter, and some action descriptions are slightly verbose.	2 / 3
Actionability	Provides concrete UDM query patterns for IOC lookups and names specific tools, which is good. However, many steps remain at the 'Action: do X' level without executable examples (e.g., no concrete tool invocation syntax, no example parameters for list_cases or summarize_entity). The TTP hunt queries are described abstractly ('e.g., specific process names, command lines') rather than giving concrete examples.	2 / 3
Workflow Clarity	Multi-step workflows are clearly sequenced and numbered with distinct phases. However, validation checkpoints are missing — there's no explicit verification that IOC matches are true positives before deep investigation, no error handling for failed queries, and no feedback loop for the GTI campaign procedure (the TTP hunt has a refine/repeat loop, which is better).	2 / 3
Progressive Disclosure	References `extensions/google-secops/TOOL_MAPPING.md` for tool mapping (good delegation), but no bundle files are provided to support this reference. The content is reasonably structured with multiple procedures, but the skill is moderately long and could benefit from splitting detailed query patterns or procedure details into separate referenced files.	2 / 3
	Total	8 / 12 Passed

Description

40%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description identifies a cybersecurity threat hunting domain and includes a 'Use when' clause with some relevant trigger terms, but it is undermined by vague capability language ('expert guidance'), a typo ('threads' instead of 'threats'), and a lack of concrete actions. It needs significantly more specificity about what the skill actually does and broader coverage of natural trigger terms.

Suggestions

Replace 'Expert guidance for proactive threat hunting' with specific actions like 'Searches logs for indicators of compromise (IOCs), maps adversary behavior to MITRE ATT&CK TTPs, and identifies anomalous patterns in network or endpoint data.'

Fix the typo 'threads' → 'threats' and expand trigger terms to include natural variations like 'threat intelligence', 'indicators of compromise', 'MITRE ATT&CK', 'suspicious activity', 'adversary techniques'.

Strengthen the 'Use when' clause to be more explicit, e.g., 'Use when the user asks to hunt for threats, investigate IOCs, search for adversary TTPs, or perform proactive security analysis on logs or telemetry data.'

Dimension	Reasoning	Score
Specificity	The description says 'Expert guidance for proactive threat hunting' which is vague and abstract. It does not list any concrete actions like 'analyze logs', 'correlate indicators', or 'search for anomalies'. The phrase 'expert guidance' is fluff rather than a specific capability.	1 / 3
Completeness	It has a 'Use this when...' clause which addresses the 'when', but the 'what' portion is extremely weak — 'expert guidance' does not explain what the skill actually does. The 'when' clause partially compensates but the 'what' is essentially missing concrete detail.	2 / 3
Trigger Term Quality	Includes some relevant trigger terms like 'hunt', 'IOCs', and 'TTPs', which are terms a security analyst would use. However, it contains a typo ('threads' instead of 'threats'), and is missing common variations like 'threat intelligence', 'indicators of compromise', 'MITRE ATT&CK', 'adversary behavior', 'log analysis', or 'suspicious activity'.	2 / 3
Distinctiveness Conflict Risk	The mention of 'threat hunting', 'IOCs', and 'TTPs' narrows the domain to cybersecurity, which provides some distinctiveness. However, it could overlap with other security-related skills (e.g., incident response, threat intelligence analysis) since the description doesn't clearly delineate its specific niche.	2 / 3
	Total	7 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: google/mcp-security
Commit: fb807e9

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.