building-attack-pattern-library-from-cti-reports
Extract and catalog attack patterns from cyber threat intelligence reports into a structured STIX-based library mapped to MITRE ATT&CK for detection engineering and threat-informed defense.
69
62%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-attack-pattern-library-from-cti-reports/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, domain-specific description with excellent specificity and trigger term coverage for cybersecurity professionals. Its main weakness is the absence of an explicit 'Use when...' clause, which caps completeness at 2. Adding trigger guidance would make this an excellent description.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks to parse threat intelligence reports, extract TTPs, build attack pattern libraries, or map threats to MITRE ATT&CK.'
Consider adding common file/format variations users might mention, such as 'CTI reports', 'TTPs', 'IOCs', or 'threat reports' to broaden trigger coverage.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'extract and catalog attack patterns', 'structured STIX-based library', 'mapped to MITRE ATT&CK', and specifies purposes 'detection engineering and threat-informed defense'. | 3 / 3 |
Completeness | Clearly answers 'what does this do' (extract and catalog attack patterns into STIX library mapped to ATT&CK), but lacks an explicit 'Use when...' clause specifying when Claude should select this skill. The 'when' is only implied by the domain context. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a cybersecurity professional would use: 'attack patterns', 'cyber threat intelligence', 'STIX', 'MITRE ATT&CK', 'detection engineering', 'threat-informed defense'. These are highly relevant domain terms users would naturally mention. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining CTI reports, STIX formatting, MITRE ATT&CK mapping, and detection engineering. Very unlikely to conflict with other skills given the specificity of the cybersecurity threat intelligence domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides highly actionable, executable Python code for a complete CTI-to-STIX pipeline, which is its primary strength. However, it is excessively verbose with unnecessary conceptual explanations, boilerplate 'When to Use' sections, and a monolithic structure that dumps everything into one file. The workflow lacks integrated validation checkpoints between steps, and the content would benefit significantly from splitting into overview + detailed reference files.
Suggestions
Remove the 'Key Concepts' and 'When to Use' sections entirely — Claude already understands STIX, ATT&CK, and CTI report structures. This would save ~30 lines of pure explanation.
Add explicit validation between workflow steps: after Step 1, verify extracted behaviors are non-empty; after Step 2, validate technique IDs exist in ATT&CK; after Step 3, validate the STIX bundle with a schema check before export.
Split the detailed code implementations into a separate reference file (e.g., IMPLEMENTATION.md) and keep SKILL.md as a concise overview with the workflow sequence and key patterns only.
Remove the generic 'When to Use' bullets and replace with a single sentence about the skill's purpose, or remove entirely.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~250+ lines. It explains concepts Claude already knows (what STIX is, what CTI reports are, what detection engineering involves), includes lengthy 'Key Concepts' sections that are purely definitional, and the 'When to Use' section is generic boilerplate. The BEHAVIOR_INDICATORS and TOOL_PATTERNS lists are extensive but much of this is common knowledge for Claude. | 1 / 3 |
Actionability | The code is fully executable with concrete Python classes, specific library usage (stix2, attackcti), complete method implementations, and a working sample report with end-to-end execution. The code is copy-paste ready and demonstrates the full pipeline from parsing to export. | 3 / 3 |
Workflow Clarity | The three steps are clearly sequenced (parse → map → build library), but validation is only listed as a checklist at the end rather than integrated into the workflow. There are no explicit validation checkpoints between steps (e.g., verifying ATT&CK mappings are valid before creating STIX objects) and no error recovery/feedback loops for when parsing fails or mappings are ambiguous. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with everything inline — over 250 lines of code, concepts, prerequisites, and references all in one file. The Key Concepts section, detailed code implementations, and detection template generation could all be split into separate referenced files. No content is delegated to supporting documents. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.