building-incident-timeline-with-timesketch
Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.
36
33%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/building-incident-timeline-with-timesketch/SKILL.mdQuality
Discovery
40%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear niche tool (Timesketch) and domain (forensic incident analysis), giving it strong distinctiveness. However, it lacks an explicit 'Use when...' clause, which is critical for Claude to know when to select this skill, and the action verbs remain somewhat abstract rather than listing concrete operations. The trigger terms could be expanded to include more natural user language variations.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about forensic timelines, Timesketch, incident investigation, or analyzing event logs from multiple sources.'
Include common user-facing trigger terms and synonyms such as 'DFIR', 'digital forensics', 'log analysis', 'timeline analysis', 'plaso', and 'security investigation'.
Make actions more concrete by specifying discrete operations, e.g., 'upload log files, create sketches, add annotations, search events, build saved views, and export timeline reports'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (forensic incident timelines, Timesketch) and some actions (ingest, normalize, analyze), but the actions are somewhat abstract and not fully concrete—'attack chain reconstruction' and 'investigation documentation' are high-level rather than specific discrete operations. | 2 / 3 |
Completeness | The description covers 'what' (build timelines, ingest/normalize/analyze data) but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per the rubric, a missing 'Use when...' clause caps completeness at 2, and since the 'when' is entirely absent, this scores at 1. | 1 / 3 |
Trigger Term Quality | Includes relevant terms like 'Timesketch', 'forensic', 'incident timelines', 'attack chain', and 'event data', but misses common user variations such as 'DFIR', 'digital forensics', 'log analysis', 'timeline analysis', or 'plaso'. A user might not naturally say 'attack chain reconstruction'. | 2 / 3 |
Distinctiveness Conflict Risk | The mention of 'Timesketch' and 'forensic incident timelines' creates a very clear niche. This is unlikely to conflict with other skills given the highly specific tool and domain focus. | 3 / 3 |
Total | 8 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill reads more like a comprehensive reference guide or tutorial than a concise, actionable skill file. It suffers from significant verbosity, explaining concepts Claude already knows (architecture components, MITRE ATT&CK basics, what data sources contain) while lacking validation checkpoints in its workflows. The content would benefit greatly from aggressive trimming and splitting into focused reference files.
Suggestions
Remove the 'When to Use', 'Prerequisites', 'Architecture and Components', and MITRE ATT&CK mapping sections entirely — Claude already knows these concepts and they consume tokens without adding actionable value.
Add validation checkpoints after data ingestion (e.g., verify event count with a search query, check for parsing errors in Celery logs) and after running analyzers (e.g., confirm analyzer results appeared).
Split the data sources table, search query examples, and API automation code into separate bundle files (e.g., DATA_SOURCES.md, SEARCH_QUERIES.md, API_EXAMPLES.md) and reference them from a trimmed SKILL.md.
Replace the vague numbered lists in Steps 1 and 4 ('Log into Timesketch web interface', 'Create new story') with concrete API commands or CLI equivalents that are copy-paste executable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is verbose and explains many concepts Claude already knows (what Timesketch is, what its components do, what MITRE ATT&CK techniques are, what data sources contain). The overview paragraph, 'When to Use' section, and 'Prerequisites' section are all filler. The architecture section explains standard components (Redis, PostgreSQL, Celery) that don't need explanation. The MITRE ATT&CK mapping table and data sources table add bulk without actionable value. | 1 / 3 |
Actionability | There are concrete commands for deployment, data ingestion (Plaso, CSV, JSONL), and a Python API example. However, several workflow steps are described in vague numbered lists ('Log into Timesketch web interface', 'Create new sketch') rather than executable commands. The Sigma rule integration and Dissect integration examples are incomplete. The search query examples are useful and specific. | 2 / 3 |
Workflow Clarity | The analysis workflow has numbered steps but lacks validation checkpoints. There's no verification after data ingestion (e.g., confirming event count, checking for parsing errors), no feedback loops for failed imports, and no validation that analyzers completed successfully. For a multi-step forensic process involving data integrity, this is a significant gap. | 2 / 3 |
Progressive Disclosure | The content is a monolithic wall of text with no bundle files to reference. Everything from deployment to advanced API usage to MITRE mappings is crammed into a single file. Content like the data sources table, MITRE mapping, search query examples, and API automation could be split into separate reference files. External links are provided but no internal file references exist. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
9a588e6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.