secops-hunt
Expert guidance for proactive threat hunting. Use this when the user asks to "hunt" for threads, IOCs, or specific TTPs.
72
58%
Does it follow best practices?
Impact
97%
2.02xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/hunt/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has a proper 'Use when' clause with some domain-specific trigger terms, but fails to specify what concrete actions the skill performs. The vague 'Expert guidance' phrase provides no actionable information about capabilities, and there's a typo ('threads' instead of 'threats') that could affect matching.
Suggestions
Replace 'Expert guidance for proactive threat hunting' with specific actions like 'Analyze logs for suspicious patterns, correlate IOCs across data sources, map adversary behavior to MITRE ATT&CK framework'
Fix the typo 'threads' to 'threats' and expand trigger terms to include variations like 'indicators of compromise', 'threat detection', 'adversary hunting', 'MITRE ATT&CK'
Add concrete outputs or deliverables the skill produces (e.g., 'generates hunt hypotheses, creates detection queries, documents findings')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'Expert guidance' without listing any concrete actions. It doesn't specify what the skill actually does (e.g., analyze logs, query SIEM, correlate events). | 1 / 3 |
Completeness | Has a 'Use when' clause addressing when to use it, but the 'what' portion is extremely weak - 'Expert guidance' doesn't explain what the skill actually does or what capabilities it provides. | 2 / 3 |
Trigger Term Quality | Includes some relevant terms like 'hunt', 'IOCs', and 'TTPs' that security professionals would use, but contains a typo ('threads' instead of 'threats') and misses common variations like 'indicators of compromise', 'adversary techniques', or 'threat detection'. | 2 / 3 |
Distinctiveness Conflict Risk | The security/threat hunting domain is somewhat specific, and terms like 'IOCs' and 'TTPs' help distinguish it, but 'Expert guidance' is generic and could overlap with other security-related skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured threat hunting skill with clear procedural workflows and good tool selection guidance. The main weakness is that actionability could be improved with more concrete, executable query examples rather than template patterns. The content is appropriately concise for an expert-level skill.
Suggestions
Add 1-2 complete, executable UDM query examples with realistic IOC values to improve actionability
Consider providing a concrete example of the Hunt Loop iteration showing actual query refinement steps
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, avoiding explanations of concepts Claude already knows. It jumps directly into tool selection logic and procedural workflows without padding or unnecessary context. | 3 / 3 |
Actionability | Provides concrete tool names and UDM query patterns, but lacks fully executable code examples. The queries are templates rather than copy-paste ready commands, and some steps like 'Develop Queries' remain somewhat abstract. | 2 / 3 |
Workflow Clarity | Multi-step processes are clearly sequenced with numbered phases. The Hunt Loop includes explicit iteration logic (analyze, refine, repeat) and the workflows have clear checkpoints for decision-making (e.g., 'If too noisy, add filters'). | 3 / 3 |
Progressive Disclosure | References external file (TOOL_MAPPING.md) appropriately, but the skill itself is moderately long with multiple procedures inline. The Common Procedures section could potentially be split out for better organization. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
fde561f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.