analyzing-threat-actor-ttps-with-mitre-attack
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. This skill covers systematically mapping threat actor beh
48
36%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-actor-ttps-with-mitre-attack/SKILL.mdQuality
Discovery
22%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This description is critically flawed due to truncation — it cuts off mid-word, leaving it incomplete and unusable for skill selection. Even the portion that exists reads more like a Wikipedia definition of MITRE ATT&CK than a functional skill description, lacking concrete actions and any 'Use when...' guidance.
Suggestions
Complete the truncated description and add a clear 'Use when...' clause with explicit triggers such as 'Use when the user asks about MITRE ATT&CK mappings, threat actor TTPs, technique IDs, or adversary behavior analysis.'
Replace the encyclopedic definition with specific concrete actions, e.g., 'Maps threat actor behaviors to MITRE ATT&CK techniques, identifies relevant tactics and sub-techniques, generates ATT&CK Navigator layers, and cross-references threat groups with known TTPs.'
Add natural trigger term variations users might say, such as 'ATT&CK matrix', 'technique ID', 'T-number', 'threat intelligence mapping', 'adversary emulation', or 'kill chain analysis'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description defines what MITRE ATT&CK is (a knowledge base) but only begins to mention 'systematically mapping threat actor beh' before being truncated. No concrete actions like 'map techniques to groups', 'identify TTPs', or 'generate ATT&CK Navigator layers' are listed. | 1 / 3 |
Completeness | The description is truncated and incomplete. It partially addresses 'what' (mapping threat actor behavior) but never reaches a 'when' clause. The truncation means it fails to answer either question fully. | 1 / 3 |
Trigger Term Quality | Contains some relevant keywords like 'MITRE ATT&CK', 'tactics, techniques, and procedures', 'TTPs', and 'threat actor', which users might naturally use. However, it's missing common variations like 'threat intelligence', 'adversary emulation', 'ATT&CK matrix', 'technique ID', or 'T-number'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'MITRE ATT&CK' specifically is a fairly distinct domain identifier that reduces conflict with generic security skills. However, the truncation and vague 'mapping threat actor beh...' language could overlap with general threat intelligence or cybersecurity analysis skills. | 2 / 3 |
Total | 6 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely useful, executable Python code for ATT&CK-based threat analysis with a clear five-step workflow. However, it is significantly bloated with explanatory content Claude doesn't need (ATT&CK concepts, matrix structure descriptions) and lengthy boilerplate code (Navigator layer JSON config). The workflow lacks inline validation steps and error handling, and the content would benefit from being split across files.
Suggestions
Remove the 'Key Concepts' section entirely—Claude already understands ATT&CK structure, Navigator layers, and threat group profiles.
Add inline validation after Step 1 (verify TAXII connection and non-empty results) and after Step 3 (validate Navigator JSON schema before writing to disk).
Extract the Navigator layer template JSON into a separate reference file and link to it, keeping only the function signature and a brief usage example inline.
Remove or drastically shorten the 'When to Use' section—its four bullets are generic and add no actionable information.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is excessively verbose. The 'Key Concepts' section explains ATT&CK matrix structure, threat group profiles, and Navigator concepts that Claude already knows well. The 'When to Use' section is generic filler. The 'Overview' repeats the description. The Navigator layer generation code includes extensive boilerplate JSON configuration that could be significantly trimmed. | 1 / 3 |
Actionability | The skill provides fully executable Python code across all five steps, with specific library imports, API calls, and data processing logic. Code is copy-paste ready with concrete examples using real group IDs (G0016 for APT29) and produces tangible outputs (Navigator JSON layers, gap analysis reports). | 3 / 3 |
Workflow Clarity | The five steps are clearly sequenced and logically ordered from data querying through gap analysis. However, there are no validation checkpoints between steps (e.g., verifying TAXII server connectivity, validating the Navigator JSON schema before saving, handling API failures). The 'Validation Criteria' section is a post-hoc checklist rather than integrated feedback loops. | 2 / 3 |
Progressive Disclosure | The content is a monolithic document with all code inline. The Navigator layer generation code alone is ~50 lines that could be referenced externally. References are listed at the end but there's no structured linking to separate detailed guides for advanced topics like STIX manipulation, custom scoring models, or ICS/Mobile matrix specifics mentioned in the overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.