CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-threat-landscape-with-misp

Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal trends.

67

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

80%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

A concise, actionable skill body with a real executable script, weakened by a missing validation checkpoint in the batch workflow and an orphaned reference file that the body never links to.

Suggestions

Add a verification checkpoint to the workflow, e.g. after connecting confirm the event count is non-zero and after running validate that landscape_report.json contains expected keys before reporting success.

Link references/api-reference.md from the body (e.g. an 'API reference' line under Instructions) so the existing reference is discoverable instead of orphaned.

Note how to handle common failure modes (empty result set, auth/API-key errors, SSL issues via --no-ssl) to give the batch operation a feedback loop.

DimensionReasoningScore

Conciseness

The body is lean and assumes Claude's competence — it never explains what MISP or IOCs are, and the Instructions are tight with a single copy-paste command. Not a 2 because there is no padded explanation to trim.

3 / 3

Actionability

Provides an executable install step and a complete copy-paste command ('python scripts/agent.py --misp-url ... --api-key ... --days 90 --output landscape_report.json') backed by a real, complete scripts/agent.py. Not a 2 because the guidance is fully executable rather than pseudocode.

3 / 3

Workflow Clarity

Steps are sequenced (install, configure, run) but this is a batch operation over many events with no validation/verification checkpoint (e.g. verify the API connection, sanity-check event count, validate the report), so workflow clarity is capped at 2. Not a 1 because the sequence is present and unambiguous.

2 / 3

Progressive Disclosure

Sections are well organized and scripts/agent.py is clearly signaled via the run command, but references/api-reference.md exists yet is never linked or referenced from the body, so a reference is present but not clearly signaled. Not a 3 because navigation to the existing reference file is missing; not a 1 because the overview itself is well structured and one path is signaled.

2 / 3

Total

10

/

12

Passed

Description

82%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

A specific, well-scoped description with concrete actions and natural trigger terms, but it omits any explicit 'Use when...' trigger guidance, which caps completeness.

Suggestions

Add an explicit 'Use when...' clause, e.g. 'Use when analyzing a MISP instance's threat landscape, summarizing IOC distributions, or reporting on threat actor and malware-family trends over time.'

Surface a couple of common user phrasings (e.g. 'IOC analysis', 'threat intel summary', 'MISP report') to broaden natural-trigger coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions such as 'querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends' and 'compute IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports', matching the multiple-specific-actions anchor.

3 / 3

Completeness

It clearly answers 'what' but contains no 'Use when...' clause or equivalent explicit trigger guidance, so per the judging guideline completeness is capped at 2. Not a 1 because the 'what' is thorough, and not a 3 because 'when' is entirely absent rather than explicit.

2 / 3

Trigger Term Quality

Uses natural CTI terms a user would actually say — 'threat landscape', 'MISP', 'IOC', 'threat actors', 'malware families' — giving good coverage rather than just jargon. Not scored lower because these are domain-natural, not overly generic.

3 / 3

Distinctiveness Conflict Risk

The MISP-specific framing ('Analyze the threat landscape using MISP', 'Uses PyMISP') carves a clear niche with distinct triggers unlikely to fire for unrelated skills.

3 / 3

Total

11

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.