secops-triage
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
77
66%
Does it follow best practices?
Impact
99%
2.20xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./extensions/google-secops/skills/triage/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a proper 'Use when' clause structure but fails to articulate what the skill actually does beyond vague 'expert guidance.' It lacks concrete actions and comprehensive trigger terms that would help Claude confidently select this skill over others in a large skill library.
Suggestions
Replace 'Expert guidance for security alert triage' with specific actions like 'Analyzes security alerts, classifies severity levels, identifies indicators of compromise, and recommends response actions'
Expand trigger terms to include natural variations: 'security incident', 'investigate alert', 'SOC', 'threat analysis', 'suspicious activity', 'SIEM alert'
Add context about what types of alerts or security domains this covers (e.g., network intrusion, malware, phishing, endpoint detection)
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'Expert guidance' without listing any concrete actions. It doesn't specify what triage involves (e.g., analyze logs, classify severity, recommend response actions). | 1 / 3 |
Completeness | Has a 'Use when' clause addressing when to trigger, but the 'what' portion is extremely weak - 'Expert guidance' doesn't explain what the skill actually does during triage. | 2 / 3 |
Trigger Term Quality | Includes 'triage', 'alert', and 'case' as trigger terms, but misses common variations users might say like 'security incident', 'investigate', 'SOC', 'threat', 'suspicious activity', or 'SIEM'. | 2 / 3 |
Distinctiveness Conflict Risk | The terms 'alert' and 'case' are somewhat generic and could overlap with other skills (e.g., customer support case handling, system alerts). The 'security' qualifier helps but isn't strongly reinforced. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted security triage skill with excellent actionability and workflow clarity. It efficiently handles dual-environment tool selection (Remote/Local) and provides concrete decision criteria. The only weakness is that progressive disclosure could be improved with clearer links to referenced materials.
Suggestions
Add explicit links to the 'relevant Skills' mentioned for escalation (e.g., lateral movement hunt skill)
Consider linking to or creating a separate IOC enrichment reference file rather than embedding the Common Procedures inline
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is lean and efficient, using tables, bullet points, and structured workflows without explaining basic concepts Claude already knows. Every section serves a clear purpose with no padding. | 3 / 3 |
Actionability | Provides specific tool names, concrete parameters (e.g., expand='tasks,tags,products'), exact filter syntax, and clear decision trees. The workflow is copy-paste ready with explicit tool mappings for both Remote and Local environments. | 3 / 3 |
Workflow Clarity | Clear 7-step sequence with explicit decision points (duplicate check -> STOP), classification criteria table, and conditional branching for FP/BTP vs TP/Suspicious outcomes. Includes validation through enrichment before assessment. | 3 / 3 |
Progressive Disclosure | References external file (TOOL_MAPPING.md) and mentions 'relevant Skills' for escalation, but these references could be more clearly signaled. The Common Procedures section is well-structured but inline rather than linked. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- google/mcp-security
- Commit
fde561f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.