analyzing-indicators-of-compromise
Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
63
75%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-indicators-of-compromise/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its domain (IOC analysis and threat intelligence), lists specific concrete actions and artifact types, and provides explicit trigger guidance through both 'Use when' and 'Activates for' clauses. It uses proper third-person voice throughout and includes a rich set of natural trigger terms that security analysts would use. The description is comprehensive yet concise, with minimal risk of conflicting with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing IOCs (IP addresses, domains, file hashes, URLs, email artifacts), determining maliciousness confidence, campaign attribution, blocking priority, and enriching with multi-source intelligence. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes IOCs to determine maliciousness, attribution, and blocking priority) and 'when' (explicit 'Use when' clause covering triaging from phishing/alerts/feeds, enriching raw IOCs, making block decisions, plus an 'Activates for' clause naming specific tools). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: IOCs, IP addresses, domains, file hashes, URLs, phishing emails, security alerts, threat feeds, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, IOC enrichment, block/monitor/whitelist decisions. These are terms security analysts naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche in IOC analysis and threat intelligence enrichment. The specific mention of tools (VirusTotal, AbuseIPDB, MalwareBazaar, MISP) and security-specific workflows (triage, enrichment pipelines, block/monitor decisions) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides strong actionable guidance with executable code examples and a clear decision framework for IOC triage. However, it is significantly bloated with explanatory content Claude doesn't need (glossary definitions, tool descriptions, basic concept explanations), and the workflow lacks validation checkpoints for error handling and source disagreement. Trimming the didactic sections and adding explicit error-handling/validation steps would substantially improve quality.
Suggestions
Remove the Key Concepts table and Tools & Systems section entirely — Claude already knows what VirusTotal, Shodan, IOCs, and defanging are. This saves ~30 lines of tokens.
Add error handling to the API code examples (e.g., check HTTP status codes, handle rate limiting, handle 'not found' responses) and add a validation checkpoint between Step 3 and Step 4 for when sources disagree.
Condense the 'When to Use' and 'Prerequisites' sections into 2-3 bullet points each — the current framing is overly explanatory for an AI audience.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose with content Claude already knows — the Key Concepts table defines basic terms like 'IOC' and 'Enrichment', the Tools & Systems section explains what VirusTotal and Shodan are, and the 'When to Use' section over-explains obvious contexts. The glossary and tool descriptions add ~40 lines of content that provide no actionable value to Claude. | 1 / 3 |
Actionability | The skill provides fully executable Python code for VirusTotal, AbuseIPDB, MalwareBazaar, and MISP lookups. The confidence scoring thresholds are specific and concrete (≥15 AV detections, AbuseIPDB ≥70), and the disposition framework gives clear decision criteria. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced and logically ordered, but lacks explicit validation checkpoints — there's no error handling for API failures, no verification that enrichment data is consistent across sources before making a disposition decision, and no feedback loop for re-evaluating when sources disagree. | 2 / 3 |
Progressive Disclosure | The content is a monolithic single file with no references to supporting documents. The Key Concepts table, Tools & Systems descriptions, and Common Pitfalls sections could be split into reference files, keeping the SKILL.md focused on the workflow and code examples. However, for a skill with no bundle, the section-based organization is reasonable. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.