secops-investigate
Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
74
62%
Does it follow best practices?
Impact
97%
1.46xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/investigate/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is too vague about what the skill actually does — 'expert guidance' is not a concrete capability. While it includes a 'Use when' clause with some trigger terms, it lacks specificity in both the actions it performs and the range of natural language triggers that would help Claude select it appropriately. The security domain provides some distinctiveness but the description needs significantly more detail.
Suggestions
Replace 'expert guidance for deep security investigations' with specific actions like 'Analyzes security alerts, correlates indicators of compromise, traces attack paths, and examines logs to support incident investigations.'
Expand trigger terms in the 'Use when' clause to include natural variations like 'security incident', 'breach', 'threat analysis', 'forensic analysis', 'suspicious activity', 'alert triage', or 'compromise'.
Clarify what 'entity' means in context (e.g., 'IP address', 'domain', 'user account', 'host') to reduce ambiguity and improve distinctiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for deep security investigations' which is vague and abstract. It does not list any concrete actions like 'analyze logs', 'trace IP addresses', 'correlate alerts', or 'examine network traffic'. 'Expert guidance' is fluff rather than a specific capability. | 1 / 3 |
Completeness | It has a 'Use this when...' clause which addresses the 'when', but the 'what' portion is extremely weak — 'expert guidance for deep security investigations' doesn't explain what the skill actually does. The 'when' clause is present but narrow, only triggering on the word 'investigate'. | 2 / 3 |
Trigger Term Quality | It includes 'investigate', 'case', 'entity', and 'incident' which are somewhat relevant keywords. However, it misses many natural terms users might say like 'security alert', 'breach', 'threat', 'IOC', 'forensics', 'compromise', 'suspicious activity', or 'malware'. | 2 / 3 |
Distinctiveness Conflict Risk | The security investigation domain provides some distinctiveness, but 'investigate a case, entity, or incident' is broad enough to overlap with general incident response skills, threat intelligence skills, or case management skills. The term 'entity' is particularly ambiguous. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, well-structured skill that provides highly actionable investigation procedures with concrete queries, tool mappings, and severity assessment criteria. The workflow clarity is excellent with numbered steps, validation checkpoints, and reusable common procedures. Minor improvements could be made in conciseness by consolidating the repeated Remote/Local tool branching pattern and removing the unnecessary persona framing.
Suggestions
Remove the 'You are a Tier 2/3 SOC Analyst and Incident Responder' persona statement — Claude doesn't need role-play framing to follow procedures.
Consider consolidating the repeated Remote/Local tool branching into a single reference table at the top (e.g., 'Case Context: Remote=get_case+list_case_alerts, Local=get_case_full_details') to reduce repetition across procedures.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient and avoids explaining basic security concepts, but some sections are slightly verbose with repeated Remote/Local tool distinctions that could be consolidated into a reference table. The opening 'You are a Tier 2/3 SOC Analyst' framing is unnecessary context Claude doesn't need. | 2 / 3 |
Actionability | Provides concrete UDM queries, specific tool names, exact file paths (e.g., PSEXESVC.exe, WmiPrvSE.exe), MITRE ATT&CK technique IDs, and a severity assessment matrix. The procedures are copy-paste ready with specific query syntax and clear variable placeholders. | 3 / 3 |
Workflow Clarity | Multi-step procedures are clearly numbered and sequenced with explicit checkpoints (e.g., 'CRITICAL: Confirm no sensitive PII/Secrets in report' as a validation gate before generating reports). Each procedure has defined objectives, inputs, and steps with cross-references to common procedures, creating clear feedback loops. | 3 / 3 |
Progressive Disclosure | Well-structured with a clear hierarchy: Tool Selection overview → specific investigation procedures → reusable common procedures. References to external files (TOOL_MAPPING.md) are one level deep and clearly signaled. Common procedures are factored out to avoid repetition while keeping the main workflows readable. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
c8d73ae
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.