analyzing-threat-landscape-with-misp
Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal trends.
67
60%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-landscape-with-misp/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong description with excellent specificity and domain-specific trigger terms that clearly carve out a distinct niche around MISP-based threat intelligence analysis. The main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The description is well-written in third person and avoids vague language.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about MISP, threat intelligence analysis, IOC distributions, threat actor tracking, or generating threat landscape reports from MISP data.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying event statistics, attribute distributions, threat actor galaxy clusters, tag trends over time, computing IOC type breakdowns, identifying top threat actors and malware families, and generating threat landscape reports with temporal trends. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with detailed capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The when is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'MISP', 'Malware Information Sharing Platform', 'threat landscape', 'PyMISP', 'IOC', 'threat actors', 'malware families', 'event statistics', 'attribute distributions', 'galaxy clusters', 'tag trends'. Good coverage of both acronyms and full terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche around MISP/PyMISP threat intelligence analysis. The specific platform (MISP), tools (PyMISP), and domain (threat landscape analysis, IOC breakdowns, galaxy clusters) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a high-level overview of MISP threat landscape analysis but lacks the concrete, executable guidance needed for Claude to actually perform the task. The workflow is underspecified with no validation steps, the referenced script is never defined, and significant boilerplate dilutes the actionable content. The example output is helpful for understanding the expected result but insufficient without the implementation details.
Suggestions
Add executable Python code showing how to use PyMISP to query events, extract attribute distributions, and retrieve galaxy clusters—don't just reference an undefined 'scripts/agent.py'.
Define a clear sequential workflow with validation checkpoints (e.g., verify MISP connectivity, validate returned event count before proceeding to analysis, check for empty results).
Remove generic prerequisites and 'When to Use' bullets that don't add MISP-specific value (e.g., 'Familiarity with threat intelligence concepts').
Add error handling guidance for common failure modes: authentication errors, empty result sets, rate limiting, and malformed API responses.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections contain generic filler that Claude already knows (e.g., 'Familiarity with threat intelligence concepts', 'Access to a test or lab environment'). The core actionable content is relatively brief but padded with boilerplate. | 2 / 3 |
Actionability | Provides a CLI command and an example output summary, but lacks executable Python code for the actual analysis steps (querying events, computing distributions, extracting galaxy clusters). The 'scripts/agent.py' is referenced but never shown or explained, making it unclear what Claude should actually implement. | 2 / 3 |
Workflow Clarity | The multi-step process (pull events, analyze attributes, identify techniques, track actors, generate trends) is listed as bullet points under a single step with no sequencing, validation checkpoints, or error handling. There's no guidance on what to do if the MISP connection fails, if data is incomplete, or how to verify results. | 1 / 3 |
Progressive Disclosure | The content is organized into sections (When to Use, Prerequisites, Instructions, Examples) which provides some structure, but there are no references to external files for detailed API usage, advanced configurations, or extended examples. Everything is inline but incomplete rather than properly split. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.