analyzing-threat-intelligence-feeds
Analyzes structured and unstructured threat intelligence feeds to extract actionable indicators, adversary tactics, and campaign context. Use when ingesting commercial or open-source CTI feeds, evaluating feed quality, normalizing data into STIX 2.1 format, or enriching existing IOCs with campaign attribution. Activates for requests involving ThreatConnect, Recorded Future, Mandiant Advantage, MISP, AlienVault OTX, or automated feed aggregation pipelines.
76
71%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-intelligence-feeds/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines a specialized niche in cyber threat intelligence feed analysis. It provides specific actions, comprehensive trigger terms including named tools and standards, and explicitly addresses both what the skill does and when it should activate. The description is concise yet thorough, using proper third-person voice throughout.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'extract actionable indicators', 'adversary tactics', 'campaign context', 'normalizing data into STIX 2.1 format', 'enriching existing IOCs with campaign attribution'. These are highly specific, domain-appropriate actions. | 3 / 3 |
Completeness | Clearly answers both 'what' (analyzes threat intelligence feeds, extracts indicators, normalizes to STIX 2.1, enriches IOCs) and 'when' with explicit triggers ('Use when ingesting...', 'Activates for requests involving...'). Both clauses are detailed and explicit. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users in this domain would use: 'CTI feeds', 'STIX 2.1', 'IOCs', 'ThreatConnect', 'Recorded Future', 'Mandiant Advantage', 'MISP', 'AlienVault OTX', 'threat intelligence', 'feed aggregation'. These are the exact terms a security analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche in threat intelligence feed analysis with specific tool names (ThreatConnect, MISP, etc.) and domain-specific formats (STIX 2.1). Very unlikely to conflict with other skills given the specialized terminology and clear scope. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides a reasonable high-level workflow for CTI feed analysis with some concrete examples, but suffers from verbosity in areas Claude already understands (glossary definitions, tool descriptions) while lacking depth in areas that would actually help (executable code, validation steps, error handling). The monolithic structure with no progressive disclosure makes it token-inefficient, and the absence of validation checkpoints in a multi-step data pipeline is a notable gap.
Suggestions
Move the Key Concepts table and Tools & Systems catalog to separate reference files (e.g., GLOSSARY.md, TOOLS.md) and link to them from the main skill, freeing up token budget for more actionable content.
Add explicit validation checkpoints after Steps 3 and 4 — e.g., a STIX validation command/script after normalization and a count/diff check after deduplication — with error recovery guidance.
Replace the descriptive STIX normalization guidance with a complete, executable Python function that takes raw IOC data and outputs valid STIX 2.1 JSON.
Remove definitions of well-known terms (IOC, STIX, TAXII, TLP) that Claude already knows, and use the reclaimed space for concrete code examples in the enrichment and distribution steps.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill includes some unnecessary explanatory content that Claude would already know (e.g., the Key Concepts table defining STIX, TAXII, IOC, TLP — all well-known to Claude). The Tools & Systems section also reads like a catalog description rather than actionable guidance. However, the workflow steps themselves are reasonably efficient. | 2 / 3 |
Actionability | There are some concrete commands (taxii2-client CLI examples) and specific API endpoints, but much of the guidance remains at a descriptive/advisory level rather than providing executable code. The STIX normalization step describes patterns but doesn't provide a complete Python script for conversion. The enrichment and distribution steps are procedural descriptions rather than copy-paste-ready implementations. | 2 / 3 |
Workflow Clarity | The five-step workflow is clearly sequenced and logically ordered, but it lacks explicit validation checkpoints and feedback loops. There's no 'validate the STIX output' step after normalization, no verification that deduplication succeeded correctly, and no error recovery guidance if API ingestion fails beyond a brief mention of exponential backoff. For a pipeline involving batch operations and data transformation, this absence caps the score. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no references to external files for detailed content. The Key Concepts table, Tools & Systems catalog, and Common Pitfalls could all be split into separate reference files. There are no cross-references or navigation aids to supplementary materials, and everything is inlined in a single long document. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.