analyzing-threat-landscape-with-misp
Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal trends.
46
48%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-landscape-with-misp/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted description with excellent specificity and domain-relevant trigger terms that clearly carve out a distinct niche around MISP-based threat intelligence analysis. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill over others. The technical depth is appropriate for the target audience without being overly jargon-heavy.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about threat intelligence analysis, MISP queries, IOC breakdowns, threat actor identification, or generating threat landscape reports from MISP data.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying event statistics, attribute distributions, threat actor galaxy clusters, tag trends over time, computing IOC type breakdowns, identifying top threat actors and malware families, and generating threat landscape reports with temporal trends. | 3 / 3 |
Completeness | The description clearly answers 'what does this do' with detailed capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'MISP', 'Malware Information Sharing Platform', 'threat landscape', 'PyMISP', 'IOC', 'threat actors', 'malware families', 'event statistics', 'attribute distributions', 'galaxy clusters', 'tag trends'. These cover both acronyms and full terms users in the threat intelligence domain would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: MISP-specific threat intelligence analysis using PyMISP. The combination of MISP, PyMISP, IOC breakdowns, galaxy clusters, and threat landscape reporting is very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is largely a generic template with boilerplate sections that don't add value for Claude. The core technical content — how to actually query MISP, compute IOC distributions, and generate reports — is either absent or delegated to a non-existent script. The example output is a nice touch but insufficient to compensate for the lack of executable code and clear workflow.
Suggestions
Remove the generic 'When to Use' and 'Prerequisites' sections and replace them with concrete PyMISP code examples showing how to query events, extract attribute distributions, and identify threat actors.
Provide executable Python code for each analysis step (event statistics, attribute breakdown, galaxy cluster queries) rather than referencing a non-existent 'scripts/agent.py'.
Add explicit validation checkpoints — e.g., verify API connectivity before querying, check event count thresholds, validate JSON output schema — to create a proper workflow with error recovery.
Either include the referenced 'scripts/agent.py' in the bundle or remove the reference and inline the logic directly in the skill.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections are padded with generic boilerplate that Claude already knows (e.g., 'Familiarity with threat intelligence concepts', 'Access to a test or lab environment'). The skill explains obvious context rather than providing lean, actionable content. | 1 / 3 |
Actionability | There is a concrete CLI command and a pip install step, but the core instructions are vague ('Configure MISP URL and API key', 'Run the agent'). No executable Python code is provided for the actual analysis steps (querying events, computing distributions, etc.), and the referenced 'scripts/agent.py' doesn't exist in the bundle. | 2 / 3 |
Workflow Clarity | The multi-step process lacks clear sequencing and has no validation checkpoints. Steps like 'Pull event statistics' and 'Analyze attribute type distributions' are listed as sub-bullets without concrete commands, error handling, or verification steps. There's no feedback loop for API failures or data quality issues. | 1 / 3 |
Progressive Disclosure | No bundle files are provided, yet the skill references 'scripts/agent.py' which doesn't exist. The content is a flat structure with no references to supporting documentation. The example output section is helpful but the overall organization is poor — generic sections dominate while actual technical depth is missing. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
0445030
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.