CtrlK
BlogDocsLog inGet started
Tessl Logo

automating-ioc-enrichment

Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs. Use when building automated enrichment workflows integrated with SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds. Activates for requests involving SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing.

68

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Quality

Content

65%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The skill body is highly actionable with executable code and a concrete SOAR playbook, but it over-explains a few known concepts, lacks an explicit validation checkpoint in its batch workflow, and fails to link to the provided bundle files while duplicating some of their content inline.

Suggestions

Replace the inline 'Key Concepts' definitions of SOAR and rate limiting with a one-line pointer to references/api-reference.md, removing duplication with the bundled reference file.

Add an explicit validation checkpoint in Step 3/Step 4 (e.g., verify enrichment fields are populated and confidence score is sane) before conditional routing, to satisfy the batch-operation feedback-loop requirement.

Reference scripts/agent.py and references/api-reference.md from the body so the executable pipeline script and detailed API calls are discovered via progressive disclosure rather than repeated inline.

DimensionReasoningScore

Conciseness

The body is mostly efficient with concrete code, but the 'Key Concepts' table defines SOAR and rate limiting (concepts Claude already knows) and inline API calls in Step 2 duplicate content already present in references/api-reference.md, so it could be tightened rather than earning the lean level-3 anchor.

2 / 3

Actionability

Fully executable Python (enrich_ip/enrich_hash, a rate_limited decorator, retry_on_429), a concrete 9-point Cortex XSOAR playbook, named API endpoints, and specific metric targets — copy-paste ready guidance.

3 / 3

Workflow Clarity

A clear 5-step sequence exists, but bulk IOC processing has no explicit validate-before-route checkpoint or feedback loop verifying enrichment correctness before conditional routing, which the rubric caps at 2 for batch operations.

2 / 3

Progressive Disclosure

Sections are well organized, but the bundle files references/api-reference.md and scripts/agent.py are never referenced from the body, and API details that already live in the reference file are duplicated inline — content that should be split out is inline and references are not signaled.

2 / 3

Total

9

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, action-oriented, and supplies explicit 'Use when'/'Activates for' triggers covering natural user terms and named platforms. It cleanly answers both what the skill does and when to invoke it, with low conflict risk.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'Automates the enrichment of raw indicators of compromise with multi-source threat intelligence context using SOAR platforms, Python pipelines, or TIP playbooks to reduce analyst triage time and standardize enrichment outputs' — naming specific mechanisms and outcomes rather than vague language.

3 / 3

Completeness

Explicitly answers both what ('Automates the enrichment...') and when ('Use when building automated enrichment workflows...' plus an 'Activates for...' trigger clause), matching the level-3 anchor.

3 / 3

Trigger Term Quality

Strong coverage of natural terms a user would say: 'SIEM alerts, email submission pipelines, or bulk IOC processing from threat feeds' and 'SOAR enrichment, Cortex XSOAR, Splunk SOAR, TheHive, Python enrichment pipelines, or automated IOC processing'.

3 / 3

Distinctiveness Conflict Risk

A clear niche — automated IOC enrichment tied to named platforms (Cortex XSOAR, Splunk SOAR, TheHive) — with distinct triggers unlikely to fire for unrelated skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.