secops-investigate
Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
76
65%
Does it follow best practices?
Impact
97%
1.46xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/investigate/SKILL.mdQuality
Discovery
57%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has good structural completeness with an explicit 'Use this when...' clause and some useful trigger terms. However, it is significantly weakened by the lack of specific, concrete actions—'expert guidance' is vague and tells Claude nothing about what the skill actually does. Adding concrete capabilities and more domain-specific trigger terms would greatly improve skill selection accuracy.
Suggestions
Replace 'Expert guidance for deep security investigations' with specific actions like 'Analyzes security alerts, correlates indicators of compromise, traces attack paths, and triages incidents'.
Expand trigger terms to include natural variations like 'threat hunting', 'forensics', 'breach', 'compromise', 'malware', 'alert triage', 'IOC analysis', or 'security incident'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for deep security investigations' which is vague and abstract. It does not list any concrete actions like 'analyze logs', 'trace IP addresses', 'correlate alerts', or 'examine network traffic'. 'Expert guidance' is fluff rather than a specific capability. | 1 / 3 |
Completeness | It explicitly answers both 'what' (security investigations guidance) and 'when' (when the user asks to 'investigate' a case, entity, or incident) with a clear 'Use this when...' clause. While the 'what' is vague, the structure is complete. | 3 / 3 |
Trigger Term Quality | It includes some relevant trigger terms like 'investigate', 'case', 'entity', and 'incident', which users might naturally say. However, it misses many common variations such as 'threat hunting', 'forensics', 'IOC', 'alert triage', 'malware analysis', 'breach', 'compromise', or 'SIEM'. | 2 / 3 |
Distinctiveness Conflict Risk | The term 'investigate' is somewhat distinctive for security contexts, but 'investigate' could overlap with non-security investigation skills (e.g., data investigation, bug investigation). The domain 'security' helps narrow it, but 'entity' and 'case' are generic enough to cause potential conflicts. | 2 / 3 |
Total | 8 / 12 Passed |
Implementation
72%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured security investigation skill with strong actionability through specific UDM queries, concrete tool references, and clear procedural workflows. Its main weaknesses are the lack of validation/error-handling checkpoints in the workflows and some redundancy in the Remote/Local branching pattern that could be more concisely expressed. The progressive disclosure and overall organization are excellent.
Suggestions
Add validation checkpoints and error recovery guidance (e.g., 'If query returns 0 results, broaden time window or check alternate hash type' or 'If entity not found, verify hash format before proceeding').
Consider consolidating the repeated Remote/Local branching into a single reference table or convention (e.g., 'See Tool Selection above') rather than repeating it in every step of every procedure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient and avoids explaining basic security concepts, but includes some redundancy with repeated Remote/Local tool branching patterns that could be consolidated. The opening 'You are a Tier 2/3 SOC Analyst' framing is unnecessary context Claude doesn't need. | 2 / 3 |
Actionability | Provides specific UDM queries that are copy-paste ready, concrete tool names for each step, clear input variables, and a severity assessment matrix with defined thresholds. The procedures give explicit, executable guidance rather than vague descriptions. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced with numbered procedures and cross-references to common procedures. However, there are no explicit validation checkpoints or error recovery loops — e.g., what to do if a query returns no results, if tool availability check fails, or if enrichment returns ambiguous data. For security investigations involving potentially destructive response actions, this is a gap. | 2 / 3 |
Progressive Disclosure | Well-structured with a clear hierarchy: tool selection overview, then specific investigation procedures, then reusable common procedures. References to external files (TOOL_MAPPING.md) are one level deep and clearly signaled. Content is appropriately split between main procedures and common sub-procedures. | 3 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
9774ce8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.