secops-triage

Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.

2.20x

Quality

58%

Does it follow best practices?

Impact

99%

2.20x

Average score across 3 eval scenarios

Securityby

Passed

No known issues

Optimize this skill with Tessl

npx tessl skill review --optimize ./extensions/google-secops/skills/triage/SKILL.md

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured security triage workflow with strong actionability and clear step sequencing. The dual Remote/Local tool paths are practical but add verbosity throughout. The main weakness is that referenced files (TOOL_MAPPING.md, other Skills) are not provided in the bundle, making progressive disclosure harder to verify, and some content could be better organized into sub-files.

Suggestions

Remove the persona statement ('You are a Tier 1 SOC Analyst expert') as it wastes tokens on something that should be in frontmatter or is unnecessary.

Consider splitting alert-type-specific SIEM search patterns (Suspicious Login, Malware, Network) into a referenced sub-file to reduce the main skill's length and improve progressive disclosure.

Dimension	Reasoning	Score
Conciseness	The skill is reasonably efficient but includes some unnecessary framing ('You are a Tier 1 SOC Analyst expert') and variable placeholders (${KEY_ENTITIES}, ${SIMILAR_CASE_IDS}) that add verbosity. The dual Remote/Local tool paths throughout every step add bulk but are arguably necessary for the skill's purpose.	2 / 3
Actionability	Each step specifies exact tool names, parameters (e.g., expand='tasks,tags,products'), filter syntax (description="ENTITY_VALUE" AND status="OPENED"), and decision logic. The classification table provides concrete criteria and actions. While there's no runnable code per se, for an instruction-based security workflow skill, the guidance is highly specific and directly executable.	3 / 3
Workflow Clarity	The 7-step protocol is clearly sequenced with explicit decision points (duplicate check → STOP, FP/BTP → close, TP → escalate). It includes validation checkpoints like the duplicate check gate and the classification assessment step before final action. The workflow has clear branching logic and a feedback loop via the enrichment sub-procedure.	3 / 3
Progressive Disclosure	The skill references 'extensions/google-secops/TOOL_MAPPING.md' and 'relevant Skills' for escalation, but no bundle files are provided to verify these exist. The Common Procedures section is appropriately separated at the bottom. However, the content is somewhat monolithic — the alert-specific SIEM search patterns (Suspicious Login, Malware, Network) could be split into referenced sub-files, and the tool mapping reference is unverifiable.	2 / 3
	Total	10 / 12 Passed

Description

40%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description identifies a clear domain (security alert triage) and includes a basic 'Use when' clause, but it lacks concrete actions describing what the skill actually does. The trigger terms are too narrow, missing many natural phrases a user might employ when needing this skill, and the vague 'expert guidance' phrasing provides little information about specific capabilities.

Suggestions

Replace 'expert guidance for security alert triage' with specific actions such as 'Classifies alert severity, identifies false positives, correlates indicators of compromise, and recommends response actions for security alerts.'

Expand trigger terms in the 'Use when' clause to include variations like 'security incident', 'SOC alert', 'investigate alert', 'false positive analysis', 'SIEM notification', or 'threat detection'.

Add more detail about what outputs or deliverables the skill produces (e.g., 'produces a triage summary with severity classification, affected assets, and recommended next steps').

Dimension	Reasoning	Score
Specificity	The description says 'expert guidance for security alert triage' which is vague. It does not list any concrete actions like 'analyze log entries', 'classify severity levels', 'recommend response actions', or 'correlate indicators of compromise'. 'Expert guidance' is abstract fluff.	1 / 3
Completeness	It has a 'Use this when...' clause addressing the 'when' question, but the 'what' portion is weak — 'expert guidance' doesn't clearly explain what the skill actually does. The 'when' trigger is also narrow, limited to the word 'triage'.	2 / 3
Trigger Term Quality	It includes 'triage', 'alert', and 'case' as trigger terms, which are relevant but missing common variations users might say such as 'security incident', 'SOC alert', 'investigate alert', 'false positive', 'threat detection', 'SIEM alert', or 'security event'.	2 / 3
Distinctiveness Conflict Risk	The mention of 'security alert triage' provides some specificity to a security operations domain, but 'alert' and 'case' are generic enough to potentially overlap with other security-related skills (e.g., incident response, threat hunting, vulnerability management).	2 / 3
	Total	7 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: google/mcp-security
Commit: fb807e9

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.