CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-threat-intelligence-feeds

Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.

63

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A well-structured, mostly actionable CTI workflow, but it is held back by redundant basic-concept definitions, a non-executable TAXII CLI example, missing validation checkpoints in a batch workflow, and bundle files that are never referenced from the body.

Suggestions

Trim the Key Concepts table to skill-specific terms (TLP, Confidence Score, Feed Fidelity) and drop STIX/TAXII/IOC definitions Claude already knows, to improve token efficiency.

Replace the fabricated 'taxii2-client discover/get-collection' CLI with the actual library usage shown in references/api-reference.md, or link to that file for executable code.

Add an explicit validate-then-retry checkpoint after normalization (e.g., verify STIX pattern syntax and confidence fields) before the distribute step, since ingestion/distribution is a batch operation with over-blocking risk.

Link the bundle files from the body — point to references/api-reference.md for full TAXII/stix2 code and scripts/agent.py for the runnable pipeline — so the overview practices proper progressive disclosure.

DimensionReasoningScore

Conciseness

The body is mostly efficient, but the Key Concepts table defines STIX 2.1, TAXII 2.1, and IOC — concepts Claude already knows — and the Tools section restates well-known platforms, adding tokens that don't earn their place.

2 / 3

Actionability

Concrete STIX patterns, API endpoints, confidence thresholds, and TTLs are provided, but the TAXII block ('taxii2-client discover', 'taxii2-client get-collection') is not executable — taxii2-client is a Python library with no such CLI subcommands — so the guidance is partly pseudocode.

2 / 3

Workflow Clarity

The five-step workflow (enumerate → ingest → normalize → deduplicate/enrich → distribute) is clearly sequenced, but it lacks explicit validation/feedback checkpoints for a batch ingestion-and-distribution operation whose own Pitfalls section warns of over-blocking.

2 / 3

Progressive Disclosure

The body is well organized into sections and bundle files exist (references/api-reference.md, scripts/agent.py), but the body never links to or signals them, so detailed code and the executable pipeline are effectively undiscoverable from the overview.

2 / 3

Total

8

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A strong, third-person description that concretely states capabilities, gives explicit use-when triggers with natural domain terms, and occupies a distinct niche via named CTI platforms. It satisfies all four dimensions at the top of the scale.

DimensionReasoningScore

Specificity

Lists multiple concrete actions such as 'extract actionable indicators, adversary tactics, and campaign context', 'normalizing data into STIX 2.1 format', and 'enriching existing IOCs with campaign attribution', matching the top anchor for several specific actions.

3 / 3

Completeness

Explicitly answers both 'what' ('Analyzes structured and unstructured threat intelligence feeds to extract...') and 'when' with a 'Use when...' clause plus 'Activates for requests involving...', matching the top anchor.

3 / 3

Trigger Term Quality

Includes natural terms a CTI practitioner would say — 'threat intelligence feeds', 'CTI feeds', 'STIX 2.1', 'IOC', and named platforms ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX — giving good coverage rather than jargon-only.

3 / 3

Distinctiveness Conflict Risk

The description targets a narrow CTI niche anchored by named tools (ThreatConnect, MISP, Recorded Future) and STIX 2.1 normalization, making it clearly distinguishable and unlikely to trigger for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.