analyzing-threat-actor-ttps-with-mitre-attack
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
38
36%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is severely hampered by being truncated mid-sentence, rendering it incomplete and largely ineffective for skill selection. While it does reference the specific domain of MITRE ATT&CK and includes some relevant security terminology, it fails to articulate concrete actions or provide any 'when to use' guidance. In its current state, Claude would struggle to reliably select this skill at the right time.
Suggestions
Complete the truncated description to fully list specific actions (e.g., 'Maps threat actor behaviors to ATT&CK techniques, identifies coverage gaps in defenses, generates ATT&CK Navigator layers').
Add an explicit 'Use when...' clause with trigger terms like 'MITRE ATT&CK mapping', 'threat intelligence', 'TTPs', 'adversary techniques', 'ATT&CK matrix', 'threat modeling'.
Ensure the description stays within any character limits while prioritizing concrete capabilities and trigger guidance over definitional background about what MITRE ATT&CK is.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description appears truncated and only provides a general definition of MITRE ATT&CK as a knowledge base. It mentions 'systematically mapping threat actor beh' but is cut off, so no concrete actions are fully listed. | 1 / 3 |
Completeness | The description is truncated and fails to fully answer 'what does this do' (cut off mid-word) and completely lacks a 'when to use' clause. The missing 'Use when...' clause alone would cap this at 2, but the truncation makes even the 'what' incomplete. | 1 / 3 |
Trigger Term Quality | Contains some relevant keywords like 'MITRE ATT&CK', 'adversary tactics, techniques, and procedures', 'TTPs', and 'threat actor', which are terms a security professional might use. However, the description is truncated and likely missing additional natural trigger terms. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'MITRE ATT&CK' specifically is a fairly distinct domain, but the truncated description and vague framing ('covers systematically mapping...') could overlap with general cybersecurity or threat intelligence skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code covering a complete ATT&CK analysis workflow, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (ATT&CK concepts, matrix structure descriptions, generic 'When to Use' boilerplate), and the workflow lacks inline validation checkpoints despite involving external API calls and file generation that could fail.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands ATT&CK structure, Navigator, and threat group profiles.
Remove or drastically shorten the 'When to Use' and 'Overview' sections, which are generic and add no actionable value.
Add inline validation steps: check TAXII connection success after Step 1, validate Navigator JSON schema before saving in Step 3, and add error handling for missing group IDs.
Extract the Navigator layer generation function and cross-group comparison into separate bundle files, keeping SKILL.md as a concise overview with references.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Key Concepts' section explains ATT&CK matrix structure, threat group profiles, and Navigator concepts that Claude already knows. The 'When to Use' section is generic boilerplate. The 'Prerequisites' list and 'Overview' paragraph add little actionable value. The Navigator layer generation function includes excessive JSON configuration that could be trimmed. | 1 / 3 |
Actionability | All code examples are fully executable with real library calls, specific group IDs (G0016, G0007, G0032), concrete API methods, and complete Navigator layer JSON generation. The code is copy-paste ready and covers the full workflow from querying data to generating outputs. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-5) and logically ordered, but there are no validation checkpoints between steps. For example, there's no check that the TAXII server connection succeeded, no validation that the Navigator layer JSON is well-formed before saving, and no error handling or feedback loops. The 'Validation Criteria' section lists what should be true but doesn't integrate verification into the workflow itself. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with no bundle files to offload detail into. The Key Concepts section, the lengthy Navigator layer function, and the cross-group comparison could be split into separate reference files. External references are provided but there's no internal file structure for progressive discovery. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.