responding-to-security-incidents
tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill responding-to-security-incidentsAssists with security incident response, investigation, and remediation. This skill is triggered when the user requests help with incident response, mentions specific incident types (e.g., data breach, ransomware, DDoS), or uses terms like "incident response plan", "containment", "eradication", or "post-incident activity". It guides the user through the incident response lifecycle, from preparation to post-incident analysis. It is useful for classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps. Use this skill when needing to respond to a "security incident".
Validation
81%| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
Total | 13 / 16 Passed | |
Implementation
7%This skill content reads like marketing copy describing what a skill could do rather than providing actionable incident response guidance. It lacks any concrete procedures, specific tools, commands, or executable workflows that Claude would need to actually assist with incident response. The content explains concepts Claude already understands while failing to provide the specific, actionable details that would make this skill useful.
Suggestions
Replace abstract descriptions with concrete incident response procedures including specific commands (e.g., 'Isolate host: `iptables -A INPUT -s <infected_ip> -j DROP`')
Add actual playbook templates with step-by-step checklists for common incident types (ransomware, data breach, DDoS) including validation steps
Include specific evidence collection commands and tools (e.g., 'Capture memory: `volatility -f memory.dmp imageinfo`', 'Export logs: `journalctl --since "2024-01-01" > incident_logs.txt`')
Remove the 'How It Works' and 'When to Use This Skill' sections entirely - these describe the skill rather than instructing Claude on how to perform incident response
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with unnecessary explanations of what the skill does rather than actionable instructions. Phrases like 'This skill empowers Claude' and 'ensures a structured and effective approach' are filler that Claude doesn't need. | 1 / 3 |
Actionability | No concrete commands, code, scripts, or specific procedures. Everything is abstract description ('provides guidance on collecting', 'help construct a timeline') rather than actual executable steps or specific tools/commands to use. | 1 / 3 |
Workflow Clarity | While numbered lists exist, they describe what the skill will do abstractly rather than providing actual step-by-step procedures. No validation checkpoints, no specific commands, no feedback loops for incident response operations. | 1 / 3 |
Progressive Disclosure | Content is organized into logical sections with headers, but it's a monolithic description without references to detailed playbooks, checklists, or external resources that would be essential for actual incident response. | 2 / 3 |
Total | 5 / 12 Passed |
Activation
100%This is a well-crafted skill description that excels across all dimensions. It provides specific concrete actions, comprehensive trigger terms that users would naturally use, explicit guidance on both what the skill does and when to use it, and maintains a clear distinctive niche in security incident response. The description uses proper third-person voice throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps' along with guiding through the incident response lifecycle. | 3 / 3 |
Completeness | Clearly answers both what (assists with incident response, investigation, remediation, classifying, playbooks, evidence, timelines) AND when (explicit trigger terms listed, 'Use this skill when needing to respond to a security incident'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'incident response', 'data breach', 'ransomware', 'DDoS', 'incident response plan', 'containment', 'eradication', 'post-incident activity', and 'security incident'. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on security incident response with distinct domain-specific triggers like 'ransomware', 'DDoS', 'containment', 'eradication' that are unlikely to conflict with general security or documentation skills. | 3 / 3 |
Total | 12 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.