analyzing-indicators-of-compromise
Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts to determine maliciousness confidence, campaign attribution, and blocking priority. Use when triaging IOCs from phishing emails, security alerts, or external threat feeds; enriching raw IOCs with multi-source intelligence; or making block/monitor/whitelist decisions. Activates for requests involving VirusTotal, AbuseIPDB, MalwareBazaar, MISP, or IOC enrichment pipelines.
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its domain (IOC analysis and threat intelligence), lists specific concrete actions and artifact types, and provides explicit trigger guidance through both 'Use when' and 'Activates for' clauses. It uses proper third-person voice throughout and includes a rich set of natural trigger terms that security analysts would use. The description is comprehensive yet concise, with minimal risk of conflicting with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: analyzing IOCs (IP addresses, domains, file hashes, URLs, email artifacts), determining maliciousness confidence, campaign attribution, blocking priority, and enriching with multi-source intelligence. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes IOCs to determine maliciousness, attribution, and blocking priority) and 'when' (explicit 'Use when' clause covering triaging from phishing/alerts/feeds, enriching raw IOCs, making block decisions, plus an 'Activates for' clause naming specific tools). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: IOCs, IP addresses, domains, file hashes, URLs, phishing emails, security alerts, threat feeds, VirusTotal, AbuseIPDB, MalwareBazaar, MISP, IOC enrichment, block/monitor/whitelist decisions. These are terms security analysts naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche in IOC analysis and threat intelligence enrichment. The specific mention of tools (VirusTotal, AbuseIPDB, MalwareBazaar, MISP) and security-specific workflows (triage, enrichment pipelines, block/monitor decisions) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable skill with executable code examples and a well-sequenced workflow that covers the full IOC triage lifecycle. Its main weaknesses are token inefficiency from glossary/tool descriptions that Claude already knows, and a monolithic structure that could benefit from splitting reference material into separate files. The concrete thresholds, real API calls, and practical pitfalls section are strong differentiators.
Suggestions
Remove or drastically shorten the 'Key Concepts' glossary table and 'Tools & Systems' section — Claude already knows what VirusTotal, IOCs, and defanging are. Keep only non-obvious details like TTL recommendations.
Extract the Common Pitfalls and Tools/Concepts sections into a separate reference file (e.g., IOC_REFERENCE.md) and link to it from the main skill to improve progressive disclosure and reduce token load.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill includes a glossary table ('Key Concepts') and 'Tools & Systems' section that largely explain concepts Claude already knows (what VirusTotal is, what an IOC is, what defanging means). The workflow steps themselves are reasonably efficient, but these supplementary sections add ~40 lines of unnecessary context that inflate token usage. | 2 / 3 |
Actionability | The skill provides fully executable Python code for VirusTotal, AbuseIPDB, MalwareBazaar, and MISP lookups with real API endpoints and response parsing. The confidence scoring thresholds are specific and concrete (≥15 AV detections, AbuseIPDB ≥70), making decisions copy-paste actionable. | 3 / 3 |
Workflow Clarity | The 5-step workflow is clearly sequenced from normalization through enrichment, contextualization, scoring, and documentation. The tiered decision framework in Step 4 serves as an explicit validation checkpoint, and the 'Do not use in isolation' caveat plus false positive handling provide appropriate feedback loops for this type of operation. | 3 / 3 |
Progressive Disclosure | The content is well-structured with clear headers and logical sections, but it's monolithic — the Key Concepts table, Tools & Systems descriptions, and Common Pitfalls could be split into reference files. No external file references are provided, and the single file runs long with inline content that would benefit from separation. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.