responding-to-security-incidents
Assists with security incident response, investigation, and remediation. This skill is triggered when the user requests help with incident response, mentions specific incident types (e.g., data breach, ransomware, DDoS), or uses terms like "incident response plan", "containment", "eradication", or "post-incident activity". It guides the user through the incident response lifecycle, from preparation to post-incident analysis. It is useful for classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps. Use this skill when needing to respond to a "security incident".
91
53%
Does it follow best practices?
Impact
98%
1.01xAverage score across 9 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-incident-responder/skills/security-incident-responder/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description that clearly defines its domain (security incident response), lists concrete actions, and provides explicit trigger guidance with natural keywords. It uses third-person voice appropriately and covers both the 'what' and 'when' dimensions thoroughly. Minor note: the description is slightly verbose and could be tightened, but the content quality is high.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: classifying incidents, creating response playbooks, collecting evidence, constructing timelines, generating remediation steps, and guiding through the incident response lifecycle. | 3 / 3 |
Completeness | Clearly answers both 'what' (classifying incidents, creating playbooks, collecting evidence, constructing timelines, generating remediation steps) and 'when' (explicit trigger terms listed, plus a 'Use this skill when...' clause at the end). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'incident response', 'data breach', 'ransomware', 'DDoS', 'incident response plan', 'containment', 'eradication', 'post-incident activity', 'security incident'. These are terms users would naturally use when seeking this kind of help. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in security incident response. The specific trigger terms like 'ransomware', 'DDoS', 'containment', 'eradication', and 'incident response plan' are unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
7%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is essentially a high-level description of what incident response is, rather than a skill that teaches Claude how to perform it. It contains no actionable content—no playbook templates, no specific investigation commands, no remediation checklists, no concrete examples of output. Claude already knows what incident response, ransomware, and data breaches are; this skill needs to provide the specific frameworks, templates, and procedures that Claude should follow.
Suggestions
Replace the abstract 'How It Works' section with concrete, actionable content: include an actual incident classification framework (e.g., severity matrix with specific criteria), a playbook template with real steps, and specific evidence collection commands (e.g., log queries, forensic tool commands).
Provide complete example outputs—instead of saying 'the skill will generate a response playbook,' include an actual sample playbook with specific containment, eradication, and recovery steps for ransomware.
Add concrete checklists and templates: an incident classification checklist, a post-incident report template, and specific remediation step templates that Claude can fill in based on the incident details.
Remove the 'Overview', 'When to Use This Skill', and 'Integration' sections entirely—they explain concepts Claude already knows and consume tokens without adding value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains concepts Claude already knows well (what incident response is, what evidence gathering means, what ransomware is). The 'Overview', 'How It Works', 'When to Use This Skill', and 'Integration' sections are largely redundant filler that don't add actionable value. Nearly every sentence describes rather than instructs. | 1 / 3 |
Actionability | The skill provides no concrete, executable guidance whatsoever—no specific commands, no code snippets, no templates, no checklists with actual content. The examples describe what 'the skill will' do in abstract terms rather than providing actual playbook content, investigation steps, or remediation procedures. Everything is vague direction rather than actionable instruction. | 1 / 3 |
Workflow Clarity | While numbered steps exist, they are abstract descriptions of categories of work rather than actual sequenced workflows. There are no validation checkpoints, no decision points, no feedback loops, and no concrete procedures. The examples say things like 'generate a response playbook including steps for containment' without actually providing those steps. | 1 / 3 |
Progressive Disclosure | The content has some structural organization with clear section headers, but it's a monolithic file with no references to supporting documents. Given the breadth of the topic (multiple incident types, playbooks, evidence gathering procedures), this content would benefit greatly from separate reference files for specific playbooks, checklists, and templates. However, the sections themselves are reasonably organized. | 2 / 3 |
Total | 5 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Commit
13d35b8
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.