secops-investigate
Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
77
66%
Does it follow best practices?
Impact
97%
1.46xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/investigate/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description has a proper 'Use when' clause structure but fails to articulate what the skill actually does beyond vague 'expert guidance.' The trigger terms are reasonable but incomplete, and the lack of concrete actions makes it difficult to understand the skill's true capabilities or distinguish it from other investigation-related skills.
Suggestions
Replace 'Expert guidance for deep security investigations' with specific actions like 'Analyzes security logs, correlates threat indicators, traces attack paths, and documents incident timelines'
Expand trigger terms to include natural phrases like 'security breach', 'threat hunting', 'forensic analysis', 'IOC', 'malware', or 'compromise'
Add specificity about what types of investigations (network intrusion, malware analysis, insider threat, etc.) to improve distinctiveness
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'expert guidance' and 'deep security investigations' without listing any concrete actions. It doesn't specify what the skill actually does (e.g., analyze logs, trace network traffic, correlate events). | 1 / 3 |
Completeness | Has a 'Use when' clause which addresses when to use it, but the 'what' portion is extremely weak - 'expert guidance' doesn't explain what the skill actually does or what capabilities it provides. | 2 / 3 |
Trigger Term Quality | Includes 'investigate', 'case', 'entity', and 'incident' which are relevant keywords, but misses common variations users might say like 'security breach', 'threat', 'compromise', 'forensics', 'IOC', or 'alert triage'. | 2 / 3 |
Distinctiveness Conflict Risk | The term 'investigate' is fairly broad and could overlap with non-security investigation skills. 'Security investigations' provides some specificity, but 'case' and 'entity' are generic terms that could trigger conflicts with other skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a high-quality security investigation skill with excellent actionability and workflow clarity. The UDM queries are concrete and executable, procedures are well-sequenced with validation steps, and the severity assessment matrix provides clear decision criteria. The only minor weakness is that the skill is somewhat lengthy and could benefit from splitting detailed procedures into separate reference files.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, assuming Claude's competence as a security analyst. No unnecessary explanations of basic concepts like what malware is or how SIEM works—it jumps straight to actionable procedures. | 3 / 3 |
Actionability | Provides concrete UDM queries, specific tool names, and exact command patterns. The queries are copy-paste ready (e.g., `target.file.sha256 = "FILE_HASH"`) and steps clearly specify which tools to use for Remote vs Local environments. | 3 / 3 |
Workflow Clarity | Multi-step procedures are clearly numbered with explicit checkpoints. The Malware Investigation includes a severity assessment matrix for decision-making, and the Report procedure includes a CRITICAL redaction validation step before generating output. | 3 / 3 |
Progressive Disclosure | Content is well-organized with clear sections and references to external files (TOOL_MAPPING.md), but the skill itself is fairly long. Common Procedures are nicely extracted, but some procedures could potentially be split into separate files for better navigation. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
fde561f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.