secops-triage
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
75
62%
Does it follow best practices?
Impact
99%
2.20xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/triage/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (security alert triage) and includes a basic 'Use when' clause, but it is too vague about what the skill actually does — 'expert guidance' is not a concrete capability. It also lacks sufficient trigger term coverage for the variety of ways users might request security triage assistance.
Suggestions
Replace 'expert guidance for security alert triage' with specific actions like 'Classifies security alert severity, identifies false positives, recommends escalation paths, and correlates indicators of compromise'.
Expand trigger terms in the 'Use when' clause to include natural variations like 'security incident', 'investigate alert', 'SOC alert', 'false positive analysis', 'threat detection', or 'SIEM alert'.
Add more detail about what types of alerts or data sources the skill handles (e.g., 'SIEM alerts, EDR detections, phishing reports') to improve distinctiveness.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description says 'expert guidance for security alert triage' which is vague. It does not list any concrete actions like 'analyze log entries', 'classify severity levels', 'recommend response actions', or 'correlate indicators of compromise'. 'Expert guidance' is abstract fluff. | 1 / 3 |
Completeness | It has a 'Use this when...' clause which addresses the 'when', but the 'what' portion is extremely weak — 'expert guidance for security alert triage' barely explains what the skill actually does. The 'when' clause is also narrow, only covering the word 'triage'. | 2 / 3 |
Trigger Term Quality | It includes 'triage', 'alert', and 'case' as trigger terms, which are relevant but misses many natural variations users might say such as 'security incident', 'SOC alert', 'investigate alert', 'false positive', 'threat detection', 'SIEM alert', or 'security event'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'security alert triage' provides some domain specificity, but 'alert' and 'case' are generic enough to potentially overlap with other security-related skills (e.g., incident response, threat hunting, SIEM management). The lack of concrete actions makes it harder to distinguish. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a strong, well-structured triage skill that provides clear, actionable guidance with specific tool names, parameters, and decision criteria at each step. The dual Remote/Local tool paths add some repetition but are necessary for environment adaptability. Minor verbosity in framing and variable placeholders could be trimmed, but overall the content is highly functional and well-organized.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is reasonably efficient but includes some unnecessary framing ('You are a Tier 1 SOC Analyst expert') and variable placeholders (${KEY_ENTITIES}, ${SIMILAR_CASE_IDS}) that add verbosity. The dual Remote/Local tool paths throughout add necessary but repetitive structure that could potentially be condensed via the tool mapping reference. | 2 / 3 |
Actionability | Every step specifies exact tool names for both Remote and Local environments, with concrete parameters (e.g., expand='tasks,tags,products', Reason='NOT_MALICIOUS', RootCause='Legit action/Normal behavior'). The classification table provides clear, specific criteria and corresponding actions. Filter syntax examples are provided inline. | 3 / 3 |
Workflow Clarity | The 7-step workflow is clearly sequenced with explicit decision points (duplicate check with STOP, FP/BTP vs TP/Suspicious branching). Each step has a labeled Action, Tool selection, and decision criteria. The duplicate check includes a clear early-exit path, and the assessment step provides a structured classification table with defined actions per outcome. | 3 / 3 |
Progressive Disclosure | The skill is well-structured with a clear hierarchy: Tool Selection overview, main Alert Triage Protocol workflow, and a separate Common Procedures section for reusable sub-routines. It references external files appropriately (extensions/google-secops/TOOL_MAPPING.md) and mentions referring to 'relevant Skills' for escalation without deeply nesting references. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
c8d73ae
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.