secops-triage
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
72
58%
Does it follow best practices?
Impact
99%
2.20xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/triage/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is too vague on capabilities, relying on the abstract phrase 'expert guidance' without specifying concrete actions the skill performs. While it includes a 'Use when' clause, both the trigger terms and the capability description are underdeveloped, making it difficult to distinguish from other security-related skills.
Suggestions
Replace 'expert guidance' with specific concrete actions such as 'Classifies alert severity, identifies false positives, correlates indicators of compromise, and recommends response actions for security alerts.'
Expand trigger terms to include natural variations like 'security incident', 'SOC alert', 'investigate alert', 'false positive', 'SIEM notification', 'threat alert'.
Broaden the 'Use when' clause to cover more scenarios, e.g., 'Use when the user asks to triage, investigate, or prioritize security alerts, incidents, or SOC cases.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for security alert triage' which is vague. It does not list any concrete actions like 'analyze log entries', 'classify severity levels', 'recommend response actions', or 'correlate indicators of compromise'. 'Expert guidance' is abstract fluff. | 1 / 3 |
Completeness | It has a 'Use this when...' clause which addresses the 'when', but the 'what' portion is extremely weak — 'expert guidance' does not explain what the skill actually does. The 'when' clause is also narrow, only covering the word 'triage'. | 2 / 3 |
Trigger Term Quality | It includes 'triage', 'alert', and 'case' as trigger terms, which are relevant but misses many natural variations users might say such as 'security incident', 'SOC alert', 'investigate alert', 'false positive', 'threat detection', 'SIEM alert', or 'security event'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'security alert triage' provides some domain specificity, but 'alert' and 'case' are generic enough to potentially overlap with other security-related skills (e.g., incident response, threat hunting, SIEM management). Without more specific triggers, there's moderate conflict risk. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, highly actionable security triage workflow with clear sequencing, decision points, and specific tool references for both Remote and Local environments. Its main weakness is moderate verbosity from the dual-path (Remote/Local) pattern repeated at every step, and the progressive disclosure could be improved by extracting common procedures and providing more specific cross-references. Overall, it serves as an effective operational playbook for alert triage.
Suggestions
Extract the 'Common Procedures' section into a separate file (e.g., COMMON_PROCEDURES.md) and link to it, reducing the main skill's length.
Replace the vague 'refer to relevant Skills' in Step 7 escalation with specific file links (e.g., [LATERAL_MOVEMENT.md](LATERAL_MOVEMENT.md)).
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some unnecessary framing ('You are a Tier 1 SOC Analyst expert') and variable placeholders (${KEY_ENTITIES}, ${SIMILAR_CASE_IDS}) that add structural overhead. The dual Remote/Local tool paths at every step create repetition, though this is arguably necessary for the skill's purpose. | 2 / 3 |
Actionability | Every step specifies exact tool names, parameters (e.g., expand='tasks,tags,products'), filter syntax (description="*ENTITY_VALUE*" AND status="OPENED"), and decision criteria. The classification table provides concrete criteria for each outcome, and specific tool calls are named for each action. | 3 / 3 |
Workflow Clarity | The 7-step protocol is clearly sequenced with explicit decision points (Step 2 has a STOP condition for duplicates), branching logic (Step 7 FP/BTP vs TP/Suspicious), and a well-structured classification table in Step 6. The workflow includes validation through enrichment before assessment, and the duplicate check early in the process prevents wasted effort. | 3 / 3 |
Progressive Disclosure | The skill references an external file (extensions/google-secops/TOOL_MAPPING.md) and mentions 'relevant Skills' for escalation, showing some progressive disclosure. However, the Common Procedures section at the bottom could be in a separate file, and the content is fairly long as a single document. The reference to 'relevant Skills' is vague rather than linking to specific files. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
9774ce8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.