CtrlK
BlogDocsLog inGet started
Tessl Logo

building-incident-timeline-with-timesketch

Build collaborative forensic incident timelines using Timesketch to ingest, normalize, and analyze multi-source event data for attack chain reconstruction and investigation documentation.

55

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

SKILL.md
Quality
Evals
Security

Quality

Content

57%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The body is highly actionable with executable commands and code, but it is a monolithic wall of text that ignores its own bundle files and explains some concepts Claude already knows. Workflow steps lack validation checkpoints for batch forensic ingestion.

Suggestions

Reference the existing bundle files from the body (e.g., link references/api-reference.md for the API section and references/workflows.md for detailed workflows) instead of inlining everything.

Add validation/verification checkpoints to the ingestion and analysis workflow (e.g., confirm event counts after import, verify timestamps parsed correctly before analyzing).

Trim the Overview's explanation of what Timesketch is and replace the generic 'When to Use' boilerplate with task-specific triggers.

DimensionReasoningScore

Conciseness

Most content is concrete commands and code, but the Overview paragraph explains what Timesketch is (a concept partly known to Claude) and the 'When to Use' section is generic boilerplate, matching the level-2 anchor of mostly efficient with some unnecessary explanation.

2 / 3

Actionability

Provides copy-paste-ready, executable commands (log2timeline.py, timesketch_importer), concrete CSV/JSONL samples, working Python API code, and real search-query examples, matching the level-3 anchor of fully executable guidance.

3 / 3

Workflow Clarity

The Analysis Workflow is sequenced into four clear steps, but ingestion of evidence is a batch operation with no validation/verification checkpoints, which per the guidelines caps workflow clarity at 2.

2 / 3

Progressive Disclosure

Bundle files exist in references/, scripts/, and assets/ but are never referenced from the body, and inline content (e.g., the API automation section) duplicates what belongs in references/api-reference.md, matching the level-1 anchor of a monolithic body with poor navigation to the bundle.

1 / 3

Total

8

/

12

Passed

Description

67%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific and distinctive, naming concrete capabilities tied to Timesketch, but it lacks an explicit 'when to use' trigger clause and some common natural-language variations. It is strong on what and distinctiveness, weaker on triggering guidance.

Suggestions

Add an explicit 'Use when ...' clause listing natural triggers (e.g., 'Use when building incident timelines, performing DFIR, or analyzing multi-source logs with Timesketch').

Include common user-facing terms like 'DFIR', 'log2timeline', and 'timeline analysis' to improve trigger term coverage.

DimensionReasoningScore

Specificity

Lists multiple concrete actions — 'ingest, normalize, and analyze multi-source event data', 'attack chain reconstruction', 'investigation documentation' — matching the level-3 anchor of several specific concrete actions.

3 / 3

Completeness

It clearly answers 'what does this do' but has no 'Use when...' clause or equivalent explicit trigger guidance, so per the guidelines completeness is capped at 2.

2 / 3

Trigger Term Quality

Natural terms like 'Timesketch', 'forensic incident timelines', and 'attack chain' are present, but common variations a user might say (e.g. 'DFIR', 'log2timeline', 'timeline analysis') are missing, matching the level-2 anchor of relevant keywords with gaps.

2 / 3

Distinctiveness Conflict Risk

The Timesketch-specific, forensic-timeline niche is clear and unlikely to trigger for unrelated skills, matching the level-3 anchor of a clear niche with distinct triggers.

3 / 3

Total

10

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.