secops-investigate
Expert guidance for deep security investigations. Use this when the user asks to "investigate" a case, entity, or incident.
72
58%
Does it follow best practices?
Impact
97%
1.46xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/investigate/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is too vague about what the skill actually does — 'expert guidance' is abstract and doesn't convey concrete actions. While it includes a 'Use when...' clause with some trigger terms, the lack of specific capabilities and limited trigger term coverage weaken its effectiveness for skill selection among many options.
Suggestions
Replace 'expert guidance for deep security investigations' with specific actions like 'Analyzes security logs, correlates threat indicators, traces attack paths, and triages alerts for incident response investigations.'
Expand trigger terms to include common variations users would say: 'threat hunting', 'forensics', 'IOC analysis', 'breach investigation', 'security alert', 'malware analysis', 'compromise'.
Clarify the scope to reduce conflict risk — specify whether this covers SOC triage, digital forensics, threat intelligence, or all of the above.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for deep security investigations' which is vague and abstract. It does not list any concrete actions like 'analyze logs', 'trace IP addresses', 'correlate alerts', or 'examine network traffic'. 'Expert guidance' is fluff rather than a specific capability. | 1 / 3 |
Completeness | It has a weak 'what' (expert guidance for security investigations) and does include a 'Use when...' clause with explicit triggers ('investigate a case, entity, or incident'). However, the 'what' portion is so vague that the overall completeness is undermined — the 'when' is present but the 'what' doesn't adequately describe concrete capabilities. | 2 / 3 |
Trigger Term Quality | It includes some relevant trigger terms like 'investigate', 'case', 'entity', and 'incident', which users might naturally say. However, it misses many common variations such as 'threat hunting', 'forensics', 'IOC', 'alert triage', 'malware analysis', 'breach', 'compromise', or 'security event'. | 2 / 3 |
Distinctiveness Conflict Risk | The term 'investigate' could overlap with non-security investigation skills (e.g., data investigation, bug investigation). The mention of 'security' and 'incident' helps narrow the scope somewhat, but 'case' and 'entity' are generic enough to cause potential conflicts with other skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, actionable security investigation skill with concrete UDM queries, clear multi-step workflows, and a useful severity assessment matrix. Its main weakness is length—the repeated Remote/Local tool branching pattern across every step adds verbosity, and the multiple full investigation procedures could benefit from being split into separate referenced files. Overall it provides excellent operational guidance for a SOC analyst workflow.
Suggestions
Consider splitting each investigation procedure (Malware, Lateral Movement, Report) into separate referenced files to improve progressive disclosure and reduce the main SKILL.md length.
Reduce repetition of the Remote/Local tool branching by defining a shorthand convention once (e.g., a table mapping capabilities to Remote and Local tool names) and referencing it, rather than listing both options at every step.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient for its complexity, but includes some unnecessary framing ('You are a Tier 2/3 SOC Analyst') and could tighten several sections. The tool selection preamble repeats Remote/Local patterns extensively across every procedure step, adding bulk. However, the severity matrix and query examples earn their place. | 2 / 3 |
Actionability | Provides concrete UDM queries that are copy-paste ready, specific tool names for each step, clear variable placeholders (${FILE_HASH}, ${CASE_ID}), and a detailed severity assessment matrix. Each procedure has explicit, executable steps with named tools and query syntax. | 3 / 3 |
Workflow Clarity | Multi-step procedures are clearly sequenced and numbered with explicit validation checkpoints (e.g., 'CRITICAL: Confirm no sensitive PII/Secrets in report' before generating output). Each investigation type has a well-defined objective, inputs, and ordered steps with cross-references to common procedures. The tool availability check at the top acts as a pre-flight validation. | 3 / 3 |
Progressive Disclosure | The skill references `extensions/google-secops/TOOL_MAPPING.md` for tool details (good delegation), and common procedures are factored out to avoid repetition. However, no bundle files are provided to verify the reference, and the skill is quite long (~120 lines of dense content) with all investigation procedures inline rather than split into separate files. The lateral movement queries and malware investigation could be separate referenced documents. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
fb807e9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.