secops-triage
Expert guidance for security alert triage. Use this when the user asks to "triage" an alert or case.
72
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a proper 'Use when...' clause but fails to explain what the skill actually does beyond vague 'expert guidance.' It lacks concrete actions (analyze, classify, escalate, document) and misses many natural trigger terms security analysts would use. The description needs substantial improvement to help Claude distinguish this skill from other security or incident-related skills.
Suggestions
Replace 'Expert guidance' with specific actions like 'Analyze security alerts, classify severity levels, identify false positives, and recommend response actions'
Expand trigger terms to include variations like 'security incident', 'investigate alert', 'SOC', 'threat analysis', 'suspicious activity', 'SIEM alert'
Add context about what types of alerts or systems this covers (e.g., 'endpoint alerts', 'network intrusion', 'malware detection')
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description uses vague language like 'Expert guidance' without listing any concrete actions. It doesn't specify what triage involves (e.g., analyze logs, classify severity, recommend response actions). | 1 / 3 |
Completeness | Has an explicit 'Use this when...' clause addressing when to use it, but the 'what' portion is extremely weak - 'Expert guidance' doesn't explain what the skill actually does. | 2 / 3 |
Trigger Term Quality | Includes 'triage', 'alert', and 'case' as trigger terms, but misses common variations users might say like 'security incident', 'investigate', 'SOC', 'threat', 'suspicious activity', or 'SIEM'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on 'security alert triage' provides some specificity, but 'alert' and 'case' are generic terms that could overlap with other support, incident, or monitoring skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable security triage skill that efficiently guides Claude through a complete alert assessment workflow. The dual Remote/Local tool approach is practical, and the classification table provides clear decision criteria. Minor improvement could be made in progressive disclosure by more explicitly linking to referenced materials.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient, using tables, bullet points, and structured workflows without explaining basic concepts Claude already knows. Every section serves a clear purpose with no padding. | 3 / 3 |
Actionability | Provides specific tool names, concrete parameters (e.g., expand='tasks,tags,products'), exact filter syntax, and clear decision criteria. The classification table with specific actions is immediately executable. | 3 / 3 |
Workflow Clarity | Clear 7-step numbered workflow with explicit decision points (duplicate check -> STOP), validation through enrichment, and branching logic for FP/BTP vs TP/Suspicious outcomes. Includes feedback loops via the assessment phase. | 3 / 3 |
Progressive Disclosure | References external file (TOOL_MAPPING.md) and mentions 'relevant Skills' for escalation, but these references could be more clearly signaled. The Common Procedures section is well-separated, but the main workflow is dense and could benefit from linking to detailed tool documentation. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.