analyzing-threat-intelligence-feeds
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
76
71%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-intelligence-feeds/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a specific cyber threat intelligence domain with concrete actions, explicit trigger conditions, and named tools/platforms. It uses proper third-person voice throughout and provides both 'Use when' and 'Activates for' clauses that cover diverse trigger scenarios. The description is comprehensive yet concise, making it easy for Claude to distinguish this skill from others.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'extract actionable indicators', 'adversary tactics', 'campaign context', 'normalizing data into STIX 2.1 format', 'enriching existing IOCs with campaign attribution', and 'evaluating feed quality'. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes threat intelligence feeds, extracts indicators, normalizes to STIX 2.1, enriches IOCs) and 'when' with explicit triggers ('Use when ingesting...', 'Activates for requests involving...' with specific tool names and scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'threat intelligence feeds', 'CTI feeds', 'STIX 2.1', 'IOCs', 'campaign attribution', and specific product names like 'ThreatConnect', 'Recorded Future', 'Mandiant Advantage', 'MISP', 'AlienVault OTX'. These are terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche in cyber threat intelligence with specific product names, data formats (STIX 2.1), and domain-specific terminology (IOCs, CTI feeds, campaign attribution) that would not overlap with general data processing or security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level workflow for CTI feed analysis with some concrete examples (TAXII CLI commands, STIX patterns, API endpoints), but suffers from verbosity in areas Claude already understands (glossary definitions, tool descriptions) while lacking depth where it matters most (executable code, validation steps). The monolithic structure with no progressive disclosure makes it token-inefficient, and the absence of validation checkpoints in a multi-step data pipeline is a notable gap.
Suggestions
Remove the Key Concepts glossary table and Tools & Systems descriptions — Claude already knows these terms and tools. Replace with a brief inline reference only where disambiguation is needed.
Add explicit validation checkpoints after Steps 3 and 4 (e.g., validate STIX output against the OASIS JSON schema, verify deduplication counts, check enrichment API response codes) with error recovery loops.
Provide complete, executable Python code for the normalization step (Step 3) and at least one enrichment integration (Step 4) rather than descriptive prose.
Split detailed content (tool-specific API examples, STIX pattern reference, enrichment provider details) into separate referenced files to improve progressive disclosure and reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill includes some unnecessary explanatory content like the Key Concepts glossary table (Claude knows what STIX, TAXII, IOC, and TLP are) and the Tools & Systems descriptions that largely restate common knowledge. The workflow steps themselves are reasonably efficient but could be tightened. | 2 / 3 |
Actionability | Provides some concrete commands (taxii2-client CLI examples, STIX pattern syntax, API endpoint references) but most guidance remains at the descriptive/procedural level rather than providing executable code. The STIX normalization section describes what to do but doesn't give a complete Python script. The enrichment and distribution steps are high-level instructions rather than copy-paste ready implementations. | 2 / 3 |
Workflow Clarity | The five-step workflow is clearly sequenced and logically ordered, but lacks explicit validation checkpoints and feedback loops. There's no step to verify that normalization succeeded, no validation after deduplication, and no verification that distributed indicators were accepted by consuming systems. For a pipeline involving batch operations and data transformation, this absence of validation caps the score. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files for detailed content. The glossary table, tools list, and common pitfalls could be split into separate reference files. There are no links to supplementary materials, examples files, or deeper documentation despite the complexity warranting it. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.