analyzing-apt-group-with-mitre-navigator
Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
72
66%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-apt-group-with-mitre-navigator/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, domain-specific description with excellent specificity and trigger term coverage for cybersecurity threat intelligence professionals. Its main weakness is the lack of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The description is concise, uses third person voice correctly, and occupies a clear niche.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about MITRE ATT&CK mapping, APT group analysis, threat coverage heatmaps, or detection gap assessments.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyze APT group techniques, create layered heatmaps of adversary TTPs, perform detection gap analysis, and support threat-informed defense. These are concrete, domain-specific actions. | 3 / 3 |
Completeness | The 'what' is well-covered (analyze APT techniques, create layered heatmaps, detection gap analysis), but there is no explicit 'Use when...' clause or equivalent trigger guidance. Per the rubric, a missing 'Use when...' clause caps completeness at 2. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users in this domain would use: 'APT', 'MITRE ATT&CK', 'Navigator', 'heatmaps', 'TTPs', 'detection gap analysis', 'threat-informed defense'. These are terms a security analyst would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: MITRE ATT&CK Navigator, APT group analysis, layered heatmaps, and detection gap analysis. This is unlikely to conflict with other skills due to its very specific cybersecurity threat intelligence focus. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for ATT&CK Navigator layer generation and APT group analysis, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (Key Concepts, Overview, When to Use sections), and lacks inline validation/error handling checkpoints in the workflow. The content would benefit from aggressive trimming of background material and addition of validation steps between workflow stages.
Suggestions
Remove or drastically reduce the 'Key Concepts' section - Claude already knows what ATT&CK Navigator layers, APT group profiles, and multi-layer analysis are. Keep only non-obvious specifics like the layer version format.
Remove the generic 'When to Use' section entirely - it adds no actionable information and reads as boilerplate filler.
Add inline validation checkpoints: verify ATT&CK API connectivity before querying, validate generated JSON against Navigator schema before saving, and add error handling for missing group IDs or empty technique sets.
Consider splitting the detailed code examples into a referenced file (e.g., EXAMPLES.md) and keeping SKILL.md as a concise overview with the core workflow pattern and one minimal example.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose with unnecessary explanations Claude already knows (what ATT&CK Navigator is, what layers are, what APT group profiles contain, what multi-layer analysis means). The 'Key Concepts' section is entirely redundant background. The 'When to Use' section is generic filler. The overview paragraph restates the description. Much of this could be cut in half without losing actionable content. | 1 / 3 |
Actionability | The code examples are fully executable with real library calls (attackcti), concrete API usage, complete Navigator layer JSON generation, and specific group IDs (G0016, G0007, G0032). The code is copy-paste ready and covers the full workflow from data retrieval to layer output. | 3 / 3 |
Workflow Clarity | The 5 steps are clearly sequenced and logically ordered, but there are no validation checkpoints between steps. The 'Validation Criteria' section is a post-hoc checklist rather than inline verification steps. There's no feedback loop for when ATT&CK queries fail, when layer JSON doesn't validate, or error handling guidance. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with all code inline. The references section links to external resources but there's no splitting of content into separate files for the detailed code examples, API reference, or advanced multi-group analysis. For a skill this long (~200+ lines of code), the detailed implementations could be referenced rather than fully inline. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.