analyzing-threat-actor-ttps-with-mitre-attack
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
36
32%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is truncated, cutting off mid-word, which renders it fundamentally incomplete. While it introduces the MITRE ATT&CK domain with some relevant terminology, it fails to list concrete actions the skill performs and entirely lacks a 'Use when...' clause. As written, it reads more like a Wikipedia definition than a functional skill description.
Suggestions
Complete the truncated description and add specific concrete actions such as 'Maps incidents to MITRE ATT&CK techniques, generates technique coverage heat maps, identifies gaps in detection coverage'.
Add an explicit 'Use when...' clause with trigger terms like 'Use when the user asks about MITRE ATT&CK mappings, threat actor TTPs, technique IDs (e.g., T1059), adversary emulation, or detection coverage analysis'.
Include common keyword variations users might say, such as 'ATT&CK framework', 'ATT&CK matrix', 'technique mapping', 'T-numbers', and 'adversary behavior'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description defines what MITRE ATT&CK is but does not list concrete actions the skill performs. 'Systematically mapping threat actor beh...' is truncated and vague — no specific capabilities like 'identify techniques', 'generate heat maps', or 'map incidents to tactics' are stated. | 1 / 3 |
Completeness | The description is truncated and provides only a partial 'what' (background on MITRE ATT&CK and a cut-off mention of mapping). There is no 'when' clause or explicit trigger guidance, and the truncation makes the description fundamentally incomplete. | 1 / 3 |
Trigger Term Quality | Contains some relevant keywords like 'MITRE ATT&CK', 'tactics, techniques, and procedures', 'TTPs', and 'threat actor', which users might naturally use. However, it misses common variations like 'ATT&CK framework', 'technique ID', 'T-number', 'adversary mapping', or 'threat intelligence'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'MITRE ATT&CK' and 'TTPs' provides some distinctiveness in the cybersecurity domain, but the truncated and vague nature of the description could cause overlap with general threat intelligence or cybersecurity analysis skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely executable, actionable code for ATT&CK analysis workflows, which is its primary strength. However, it is excessively verbose—explaining concepts Claude already knows (ATT&CK structure, Navigator purpose, threat group profiles) and including boilerplate sections that add no value. The monolithic structure with no supporting bundle files means ~200 lines of code and explanation compete for context window space when a concise overview with references to detail files would be far more efficient.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands ATT&CK matrix structure, threat groups, and Navigator. Replace with a one-line note if any project-specific conventions apply.
Extract the Navigator layer generation code and cross-group comparison code into separate bundle files (e.g., navigator_layer.py, cross_group_compare.py) and reference them from the main skill.
Add explicit validation checkpoints: verify TAXII server connectivity before querying, validate Navigator JSON schema before saving, and add error handling for missing group IDs.
Remove the generic 'When to Use' section—it restates the skill title in bullet form and adds no actionable information.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Key Concepts' section explains ATT&CK matrix structure, threat group profiles, and Navigator concepts that Claude already knows. The 'When to Use' section is generic boilerplate. The 'Prerequisites' section lists obvious requirements. The Navigator layer generation code includes excessive layout/styling configuration that could be trimmed substantially. | 1 / 3 |
Actionability | All code examples are fully executable with real library calls, specific group IDs (G0016, G0007, G0032), concrete API methods, and complete JSON output structures. The code is copy-paste ready and covers the full workflow from data querying through gap analysis. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-5) and logically ordered, but there are no validation checkpoints between steps. Step 3 generates a Navigator layer JSON but doesn't validate it renders correctly. Step 4's detection gap analysis uses hardcoded example values rather than showing how to actually determine detection coverage. No error handling or feedback loops for TAXII server connectivity issues. | 2 / 3 |
Progressive Disclosure | The skill is a monolithic wall of text with no bundle files to offload detailed content. The lengthy Navigator layer generation code (50+ lines of JSON structure) and the cross-group comparison code could be split into separate reference files. All content is inline with no structural separation between overview and detailed implementation. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0f429d0
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.