secops-triage
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
72
58%
Does it follow best practices?
Impact
99%
2.20xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/triage/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (security alert triage) and includes a basic 'Use when' clause, but it lacks concrete actions describing what the skill actually does. The trigger terms are too narrow, missing many natural phrases a user might employ when needing this skill, and the vague 'expert guidance' phrasing provides little information about specific capabilities.
Suggestions
Replace 'expert guidance for security alert triage' with specific actions such as 'Classifies alert severity, identifies false positives, correlates indicators of compromise, and recommends response actions for security alerts.'
Expand trigger terms in the 'Use when' clause to include variations like 'security incident', 'SOC alert', 'investigate alert', 'false positive analysis', 'SIEM notification', or 'threat detection'.
Add more detail about what outputs or deliverables the skill produces (e.g., 'produces a triage summary with severity classification, affected assets, and recommended next steps').
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for security alert triage' which is vague. It does not list any concrete actions like 'analyze log entries', 'classify severity levels', 'recommend response actions', or 'correlate indicators of compromise'. 'Expert guidance' is abstract fluff. | 1 / 3 |
Completeness | It has a 'Use this when...' clause addressing the 'when' question, but the 'what' portion is weak — 'expert guidance' doesn't clearly explain what the skill actually does. The 'when' trigger is also narrow, limited to the word 'triage'. | 2 / 3 |
Trigger Term Quality | It includes 'triage', 'alert', and 'case' as trigger terms, which are relevant but missing common variations users might say such as 'security incident', 'SOC alert', 'investigate alert', 'false positive', 'threat detection', 'SIEM alert', or 'security event'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'security alert triage' provides some specificity to a security operations domain, but 'alert' and 'case' are generic enough to potentially overlap with other security-related skills (e.g., incident response, threat hunting, vulnerability management). | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured security triage workflow with strong actionability and clear step sequencing. The dual Remote/Local tool paths are practical but add verbosity throughout. The main weakness is that referenced files (TOOL_MAPPING.md, other Skills) are not provided in the bundle, making progressive disclosure harder to verify, and some content could be better organized into sub-files.
Suggestions
Remove the persona statement ('You are a Tier 1 SOC Analyst expert') as it wastes tokens on something that should be in frontmatter or is unnecessary.
Consider splitting alert-type-specific SIEM search patterns (Suspicious Login, Malware, Network) into a referenced sub-file to reduce the main skill's length and improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some unnecessary framing ('You are a Tier 1 SOC Analyst expert') and variable placeholders (${KEY_ENTITIES}, ${SIMILAR_CASE_IDS}) that add verbosity. The dual Remote/Local tool paths throughout every step add bulk but are arguably necessary for the skill's purpose. | 2 / 3 |
Actionability | Each step specifies exact tool names, parameters (e.g., expand='tasks,tags,products'), filter syntax (description="*ENTITY_VALUE*" AND status="OPENED"), and decision logic. The classification table provides concrete criteria and actions. While there's no runnable code per se, for an instruction-based security workflow skill, the guidance is highly specific and directly executable. | 3 / 3 |
Workflow Clarity | The 7-step protocol is clearly sequenced with explicit decision points (duplicate check → STOP, FP/BTP → close, TP → escalate). It includes validation checkpoints like the duplicate check gate and the classification assessment step before final action. The workflow has clear branching logic and a feedback loop via the enrichment sub-procedure. | 3 / 3 |
Progressive Disclosure | The skill references 'extensions/google-secops/TOOL_MAPPING.md' and 'relevant Skills' for escalation, but no bundle files are provided to verify these exist. The Common Procedures section is appropriately separated at the bottom. However, the content is somewhat monolithic — the alert-specific SIEM search patterns (Suspicious Login, Malware, Network) could be split into referenced sub-files, and the tool mapping reference is unverifiable. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
fb807e9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.