CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-indicators-of-compromise

Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Critical

Do not install without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with real, executable code and concrete thresholds, but it duplicates content already available in the unreferenced bundle files and lacks an explicit validation checkpoint in its blocking workflow. Tightening concept explanations and wiring up the bundle references would lift the weaker dimensions.

Suggestions

Reference the bundle from the body — point to references/api-reference.md for API details and scripts/agent.py for the runnable agent instead of duplicating the API code inline, keeping SKILL.md a lean overview.

Add an explicit verification checkpoint in the workflow (e.g., cross-check enrichment against false-positive risk for shared infrastructure and confirm before applying a Block disposition) with a fix-and-retry loop.

Trim the Key Concepts table to IOC-specific thresholds (TTL windows, sinkhole nuance) and drop definitions Claude already knows such as IOC, Enrichment, and Defanging.

DimensionReasoningScore

Conciseness

The body is mostly efficient and action-oriented, but the Key Concepts table defines IOC, Enrichment, and Defanging — concepts Claude already knows — and the Tools section restates well-known tool purposes, so it could be tightened.

2 / 3

Actionability

Provides fully executable Python for VirusTotal, AbuseIPDB, MalwareBazaar, and MISP with real endpoints, plus concrete disposition thresholds (≥15 AV detections, AbuseIPDB ≥70) that are copy-paste ready.

3 / 3

Workflow Clarity

The five-step sequence is clearly ordered, but it lacks an explicit validate→fix→retry checkpoint for the consequential Block/Monitor/Whitelist decision; per the rubric, missing validation for destructive/blocking operations caps this at 2.

2 / 3

Progressive Disclosure

Sections are well-organized, but the full API code and scoring framework are duplicated inline even though references/api-reference.md and scripts/agent.py exist in the bundle and are never referenced from the body, so content that should be split out is inline.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is concise, specific, and uses correct third-person voice while clearly answering both what the skill does and when to use it. Distinct, tool-named triggers make conflict risk low.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'determine maliciousness confidence, campaign attribution, and blocking priority', 'triaging IOCs', 'enriching raw IOCs with multi-source intelligence', and 'making block/monitor/whitelist decisions' — matching the multi-action anchor.

3 / 3

Completeness

Explicitly states what it does (analyzes IOCs for confidence/attribution/priority) and when to use it via an explicit 'Use when triaging IOCs from phishing emails, security alerts, or external threat feeds' trigger clause.

3 / 3

Trigger Term Quality

Covers natural terms a user would say — 'phishing emails, security alerts, external threat feeds', 'VirusTotal, AbuseIPDB, MalwareBazaar, MISP', and 'block/monitor/whitelist decisions' — with good coverage of common variations.

3 / 3

Distinctiveness Conflict Risk

Occupies a clear IOC-analysis niche with distinct named-tool triggers (VirusTotal, AbuseIPDB, MalwareBazaar, MISP) and is unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.