analyzing-threat-landscape-with-misp
Analyze the threat landscape using MISP (Malware Information Sharing Platform) by querying event statistics, attribute distributions, threat actor galaxy clusters, and tag trends over time. Uses PyMISP to pull event data, compute IOC type breakdowns, identify top threat actors and malware families, and generate threat landscape reports with temporal trends.
61
52%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-threat-landscape-with-misp/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly communicates the skill's capabilities in MISP-based threat landscape analysis with excellent domain-specific trigger terms. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know precisely when to select this skill. The description is well-written in third person and avoids vague language.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about threat intelligence, MISP queries, IOC analysis, threat landscape reports, or malware family tracking.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: querying event statistics, attribute distributions, threat actor galaxy clusters, tag trends over time, computing IOC type breakdowns, identifying top threat actors and malware families, and generating threat landscape reports with temporal trends. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with detailed capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance. The 'when' is only implied by the nature of the actions described. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'MISP', 'Malware Information Sharing Platform', 'threat landscape', 'PyMISP', 'IOC', 'threat actors', 'malware families', 'event statistics', 'attribute distributions', 'galaxy clusters', 'tag trends'. These cover both acronyms and full terms a security analyst would use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche around MISP/PyMISP threat intelligence analysis. The specific platform (MISP), tool (PyMISP), and domain (threat landscape analysis, IOC breakdowns, galaxy clusters) make it very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
22%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is mostly a high-level overview with generic boilerplate sections that don't add value for Claude. It lacks executable PyMISP code despite the description promising it, instead delegating everything to an unshown `scripts/agent.py`. The workflow has no validation steps or error recovery, and the instructions are too vague to be reliably actionable.
Suggestions
Remove the generic 'When to Use' and 'Prerequisites' sections and replace them with MISP-specific configuration details (e.g., how to set up the API key, expected MISP version).
Provide actual executable PyMISP code snippets for key operations (querying events, extracting attribute distributions, fetching galaxy clusters) rather than referencing an opaque script.
Add validation checkpoints: verify MISP connectivity before querying, check that events are returned, validate output format before writing the report.
Either include or clearly link to the `scripts/agent.py` file, and add a reference section for advanced features like temporal trend analysis configuration.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The 'When to Use' and 'Prerequisites' sections are padded with generic boilerplate that Claude already knows (e.g., 'Familiarity with threat intelligence concepts', 'Appropriate authorization for any testing activities'). The skill explains obvious context rather than providing unique, actionable information. | 1 / 3 |
Actionability | There is a concrete CLI command and an example output, but the core instructions are vague ('Configure MISP URL and API key', 'Run the agent to generate threat landscape analysis'). No actual Python code is provided for querying MISP with PyMISP—it references a `scripts/agent.py` that isn't shown or linked, making it not copy-paste executable. | 2 / 3 |
Workflow Clarity | The steps are loosely listed without validation checkpoints. There's no error handling, no verification that the MISP connection works, no feedback loop if the query fails or returns unexpected results. For a multi-step data analysis workflow, this lacks the necessary sequencing and validation. | 1 / 3 |
Progressive Disclosure | The content is organized into sections (When to Use, Prerequisites, Instructions, Examples), which provides some structure. However, it references `scripts/agent.py` without linking to it or explaining where to find it, and there are no references to deeper documentation for advanced features like galaxy cluster analysis or temporal trend configuration. | 2 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.