secops-investigate
Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
Install with Tessl CLI
npx tessl i github:google/mcp-security --skill secops-investigate72
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a proper 'Use when...' clause but fails to specify what concrete actions the skill performs. 'Expert guidance' is vague fluff that doesn't help Claude understand the skill's actual capabilities. The trigger terms are reasonable but incomplete for a security investigation domain.
Suggestions
Replace 'Expert guidance for deep security investigations' with specific actions like 'Analyzes security logs, correlates threat indicators, traces attack paths, and investigates compromised systems'
Expand trigger terms to include natural security vocabulary: 'breach', 'threat', 'malware', 'forensics', 'IOC', 'compromise', 'attack'
Add specificity about what types of investigations are covered (e.g., network intrusions, malware analysis, insider threats)
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'expert guidance' and 'deep security investigations' without listing any concrete actions. It doesn't specify what the skill actually does (e.g., analyze logs, trace network traffic, correlate events). | 1 / 3 |
Completeness | Has an explicit 'Use when...' clause which addresses when to use it, but the 'what' portion is extremely weak - 'expert guidance' doesn't explain what actions or capabilities the skill provides. | 2 / 3 |
Trigger Term Quality | Includes 'investigate', 'case', 'entity', and 'incident' which are relevant keywords, but misses common variations like 'security breach', 'threat hunting', 'forensics', 'IOC', 'compromise', or 'attack analysis'. | 2 / 3 |
Distinctiveness Conflict Risk | The term 'investigate' is somewhat specific to security contexts, but 'case' and 'entity' are generic terms that could overlap with legal, business, or other investigation-type skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted security investigation skill that provides concrete, actionable guidance for SOC analysts. The dual Remote/Local tool paths are clearly documented, UDM queries are specific and executable, and the severity assessment matrix adds valuable decision support. Minor improvement could come from better progressive disclosure by splitting major investigation types into separate referenced files.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, assuming Claude's competence as a security analyst. No unnecessary explanations of basic concepts like what malware is or how SIEM works—it jumps straight to actionable procedures. | 3 / 3 |
Actionability | Provides concrete UDM queries, specific tool names, and exact steps for each investigation type. The queries are copy-paste ready and the procedures specify exact inputs and outputs. | 3 / 3 |
Workflow Clarity | Multi-step processes are clearly numbered with explicit checkpoints. The severity assessment matrix provides clear decision criteria, and procedures reference common sub-procedures for consistency. The 'CRITICAL' redaction check before report generation shows validation awareness. | 3 / 3 |
Progressive Disclosure | References external file (TOOL_MAPPING.md) appropriately, but the skill itself is fairly long with multiple procedures inline. The common procedures section helps, but the investigation procedures could potentially be split into separate files for better organization. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.