analyzing-threat-intelligence-feeds
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
56
63%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-intelligence-feeds/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its domain (threat intelligence feed analysis), lists specific concrete actions, provides explicit trigger conditions with both 'Use when' and 'Activates for' clauses, and includes highly distinctive terminology and product names. It uses proper third-person voice throughout and would be easily distinguishable from other skills in a large skill library.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'extract actionable indicators', 'adversary tactics', 'campaign context', 'normalizing data into STIX 2.1 format', 'enriching existing IOCs with campaign attribution', and 'evaluating feed quality'. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes threat intelligence feeds, extracts indicators, normalizes to STIX 2.1, enriches IOCs) and 'when' with explicit triggers ('Use when ingesting...', 'Activates for requests involving...'). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'threat intelligence feeds', 'CTI feeds', 'STIX 2.1', 'IOCs', 'campaign attribution', and specific product names like 'ThreatConnect', 'Recorded Future', 'Mandiant Advantage', 'MISP', 'AlienVault OTX'. These are terms practitioners would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche in threat intelligence feed analysis. The specific product names, STIX 2.1 format, and CTI-specific terminology make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a cybersecurity training document than an actionable skill for Claude. It spends significant tokens defining standard terms and listing tools that Claude already knows about, while lacking the concrete, executable code examples and validation checkpoints that would make it truly useful. The workflow structure is reasonable but would benefit from validation steps, error recovery loops, and splitting reference material into separate files.
Suggestions
Remove the Key Concepts glossary table and Tools & Systems section entirely — Claude already knows these definitions and can reference them without being told.
Add complete, executable Python code examples for STIX 2.1 normalization and enrichment steps instead of describing the patterns abstractly.
Add explicit validation checkpoints after ingestion (verify record count, check for parsing errors) and after STIX conversion (validate against STIX 2.1 schema) with error recovery loops.
Split reference material (tool descriptions, common pitfalls, feed scoring criteria) into separate bundle files and reference them from a lean SKILL.md overview.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is verbose and explains many concepts Claude already knows (what STIX is, what an IOC is, what TLP means, how TAXII works). The glossary table, tools list, and detailed definitions of standard cybersecurity terms waste tokens. The 'When to Use' section largely duplicates the description. Much of this content is reference knowledge Claude possesses. | 1 / 3 |
Actionability | There are some concrete commands (taxii2-client CLI examples) and specific API endpoints, but most guidance remains at the descriptive/procedural level rather than providing executable code. The STIX normalization step describes patterns but doesn't provide a complete Python script. The enrichment and distribution steps are described abstractly without concrete implementation. | 2 / 3 |
Workflow Clarity | The five-step workflow is clearly sequenced and logically ordered, but it lacks explicit validation checkpoints and feedback loops. There's no 'verify the ingestion succeeded' step, no error handling for failed API calls beyond mentioning backoff, and no validation that STIX conversion produced valid objects before distribution. For a pipeline involving batch operations and system integrations, this is a significant gap. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files. The glossary, tools list, and detailed workflow steps could be split into separate reference documents. There are no bundle files, and the skill doesn't organize content for progressive discovery — everything is inline regardless of whether it's essential or supplementary. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
9a588e6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.