analyzing-threat-actor-ttps-with-mitre-attack
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
48
36%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description is truncated mid-sentence, rendering it incomplete and largely ineffective for skill selection. While it introduces the MITRE ATT&CK framework with some relevant domain terminology, it fails to articulate specific capabilities or provide any 'Use when...' guidance. This description would be unreliable for Claude to select appropriately from a pool of skills.
Suggestions
Complete the truncated description and add specific concrete actions such as 'Maps threat actor behaviors to ATT&CK techniques, generates Navigator layers, identifies technique coverage gaps'.
Add an explicit 'Use when...' clause with trigger terms like 'Use when the user asks about MITRE ATT&CK mappings, threat actor TTPs, adversary techniques, ATT&CK Navigator, or technique IDs (e.g., T1059)'.
Remove the encyclopedic definition of MITRE ATT&CK and focus on what the skill does and when to use it, keeping the description action-oriented rather than informational.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description defines what MITRE ATT&CK is but does not list concrete actions the skill performs. 'Systematically mapping threat actor beh' is truncated and no specific capabilities like 'identify techniques', 'generate ATT&CK Navigator layers', or 'map incidents to TTPs' are stated. | 1 / 3 |
Completeness | The description is truncated and provides only a partial 'what' (background on MITRE ATT&CK and the beginning of 'mapping threat actor beh...'). There is no 'when' clause or explicit trigger guidance, and the description is incomplete. | 1 / 3 |
Trigger Term Quality | Contains some relevant keywords like 'MITRE ATT&CK', 'tactics, techniques, and procedures', 'TTPs', and 'threat actor', which users might naturally use. However, it's missing common variations like 'threat intelligence', 'adversary emulation', 'ATT&CK matrix', 'technique ID', or 'T-number'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'MITRE ATT&CK' and 'TTPs' provides some distinctiveness in the cybersecurity domain, but the truncated and vague nature of the description could cause overlap with general threat intelligence or cybersecurity analysis skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely useful, executable Python code for ATT&CK analysis workflows, which is its primary strength. However, it is significantly bloated with explanatory content Claude doesn't need (ATT&CK concepts, matrix structure, Navigator description) and lacks inline validation steps for a multi-step workflow that depends on external API connectivity. The content would benefit from aggressive trimming of known concepts and addition of error handling/validation checkpoints.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands ATT&CK matrix structure, threat groups, and Navigator. This saves ~15 lines of unnecessary context.
Add inline validation after Step 1 (check TAXII connectivity and non-empty results) and after Step 3 (validate Navigator JSON schema before writing to file).
Trim the Navigator layer JSON template to essential fields only, or move the full template to a separate reference file and keep just the minimal required structure inline.
Remove the generic 'When to Use' section which adds no actionable information beyond what the title already conveys.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. The 'Key Concepts' section explains ATT&CK matrix structure, threat group profiles, and Navigator concepts that Claude already knows well. The 'When to Use' section is generic filler. The 'Overview' repeats the description. The Navigator layer generation code includes extensive boilerplate JSON configuration that could be significantly trimmed. | 1 / 3 |
Actionability | The skill provides fully executable Python code across all five steps, with specific library imports, API calls, and concrete examples using real group IDs (G0016 for APT29). Code is copy-paste ready and covers the complete workflow from data querying to gap analysis. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (1-5) and logically ordered, but there are no validation checkpoints or error handling between steps. No feedback loops for common failures like TAXII server connectivity issues, empty query results, or invalid Navigator JSON. The 'Validation Criteria' section is a checklist at the end rather than inline verification steps. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with all code inline. The Navigator layer generation code alone is ~50 lines that could be referenced externally. References section links to external resources but there's no splitting of content into separate files for advanced topics like custom scoring, multi-layer overlays, or STIX manipulation. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.