{"id":"acac2911-338f-4e0f-a169-b3cc5aebc669","shortId":"ja5ESJ","kind":"skill","title":"analyze","tagline":"Conduct structured analysis on any problem using CIA/IC analytic techniques — assess competing hypotheses, challenge assumptions, stress-test judgments, and produce defensible evidence-based assessments with full citations. Supports 18 techniques including ACH, Key Assumptions Ch","description":"# Structured Analysis Skill\n\nApply CIA/IC Structured Analytic Techniques to produce defensible, evidence-based analytical assessments. Every claim must be cited. Every judgment must trace to technique outputs.\n\n## Invocation\n\n```\n/analyze                          → Adaptive mode (auto-select techniques)\n/analyze <technique>              → Direct mode (run one technique)\n/analyze --guided                 → Guided mode (walk through all phases)\n/analyze --resume <analysis-id>   → Resume or update existing analysis\n/analyze --iterate <analysis-id>                → Re-run full analysis with new evidence\n/analyze --iterate <analysis-id> <technique>    → Re-run specific technique(s)\n/analyze --lean                   → Lean mode (abbreviated technique set)\n/analyze --comprehensive          → Comprehensive mode (full rubric, adversarial + deception checks)\n/analyze --no-osint               → Disable web research\n```\n\nTechniques: `customer-checklist`, `issue-redefinition`, `restatement`, `brainstorm`, `kac`, `ach`, `inconsistencies`, `cross-impact`, `what-if`, `premortem`, `counterfactual`, `narratives`, `bowtie`, `opportunities`, `devils-advocacy`, `red-hat`, `alt-futures`, `deception`\n\nFlags combine: `/analyze --guided --no-osint` is valid.\n\n## Q Investigation System Integration\n\nThis skill is integrated into the Q investigation system..\n\n### Output Path Override\n\n**All analysis output goes inside the active case folder**, not the project root.\n\nWhen an active case exists (e.g., `investigations/case-001-slug/`), replace every reference to `analyses/{{ANALYSIS_ID}}/` with:\n\n```\ninvestigations/<active-case>/output/analyses/{{ANALYSIS_ID}}/\n```\n\nIf no active case is identified, ask the user which case this analysis belongs to.\n\n### Evidence Integration -- Tier 2 Local Files\n\nWhen collecting Tier 2 (local file) evidence, **always include the active case's collected intelligence**. In addition to generic Glob discovery, explicitly search these directories:\n\n- `investigations/<active-case>/investigation/targets/` -- target profiles with collection status and gaps\n- `investigations/<active-case>/investigation/findings/` -- confirmed/assessed findings with confidence levels\n- `investigations/<active-case>/investigation/evidence/` -- raw evidence and screenshots\n- `investigations/<active-case>/investigation/timelines/` -- chronological event data\n- `investigations/<active-case>/canonical/scope.md` -- hypotheses and collection requirements\n\nThis is the richest local evidence available. Prioritize it over generic file discovery.\n\n### Feeding Results Back to Q\n\nAfter any `/analyze` run completes, update the active case:\n1. Add key findings to `investigation/findings/` (with citation back to the analysis)\n2. Update `memory/investigation-state.md` with analysis summary and which techniques were run\n3. If the analysis surfaced new collection gaps, flag them in `investigation-state.md` and suggest `/q-scope` to the user (file authority: `canonical/` is only updated via `/q-scope`)\n\n### OSINT Note\n\nThis system uses Apify/Exa/Jina for OSINT collection (not Firecrawl). When the skill needs web research, it should use the built-in WebSearch and WebFetch tools. For deeper collection, use `/q-osint` or `/q-collect` first, then run `/analyze --no-osint` on the collected evidence.\n\n## Execution\n\n**You MUST read the orchestrator protocol before proceeding.** It contains mode routing, technique selection logic, and the technique routing table.\n\n### Step 0 — Context Inference\n\nBefore parsing explicit arguments, scan the conversation history for implicit inputs. Users often invoke `/analyze` mid-conversation after discussing a problem, providing data, or sharing links.\n\nExtract from conversation context:\n- **Problem statement**: What is the user trying to analyze? Look for questions, concerns, scenarios, or decisions under discussion.\n- **Implicit technique hints**: Did the user mention assumptions, hypotheses, competing explanations, risks, or scenarios? Map these to techniques (e.g., \"I'm not sure which explanation is right\" → ACH, \"what could go wrong\" → Premortem).\n- **Implicit flags**: Did the user indicate they want something quick (→ `--lean`), don't want web research (→ `--no-osint`), or want to walk through everything (→ `--guided`)?\n- **Prior analysis**: Are there existing analyses in the active case's `output/analyses/` for the same topic? (→ suggest `--resume` or `--iterate`)\n- **Evidence already provided**: Files shared, URLs pasted, data discussed — these become Tier 1/2 evidence.\n\n### Step 0.1 — Validate Assumptions\n\nIf context inference produced any results, present them to the user for confirmation before proceeding:\n\n```\nBased on our conversation, here's what I'm picking up:\n\n**Problem**: [inferred problem statement]\n**Mode**: [inferred mode + rationale]\n**Techniques**: [inferred techniques, if any]\n**Flags**: [inferred flags, if any]\n**Prior context**: [files, data, or evidence already in conversation]\n\nDoes this look right? Adjust anything before I proceed.\n```\n\nIf the user provided explicit arguments, those always take precedence — but still surface any useful context (e.g., \"You asked for ACH. I also noticed you shared [file] earlier — I'll include that as evidence.\").\n\nIf no conversation context exists and no arguments were provided, proceed directly to Adaptive mode (the orchestrator will prompt for a problem statement).\n\n### Steps 1–6 — Main Execution\n\n1. Read `protocols/orchestrator.md` (relative to this skill's directory)\n2. Parse explicit arguments → determine mode and flags (merge with Step 0 inferences, explicit args win)\n3. Follow the orchestrator's instructions for the detected mode\n4. For technique execution, follow the orchestrator's Technique Execution Contract:\n   - **1 technique** (Direct mode): Execute in-context — read protocol, read template, execute SETUP → PRIME → EXECUTE → ARTIFACT → FINDINGS → HANDOFF, write artifact to `{{ANALYSIS_DIR}}/working/`\n   - **2+ techniques**: Dispatch to background subagents in dependency-aware tiers — each subagent reads protocol/template, executes the technique, writes the artifact, and returns only a compact findings summary. Main context accumulates summaries and file paths, not full technique work.\n5. For evidence gathering: read and execute `protocols/evidence-collector.md`\n6. For report synthesis: dispatch per `protocols/report-generator.md` Phase A/B architecture\n\n## Self-Correction (3 Layers)\n\n- **Layer 1** (after each technique, silent): Protocol compliance check — all steps completed? All template sections filled? No unfilled `{{PLACEHOLDER}}` tokens?\n- **Layer 2** (before report, silent): Analytical self-critique — 8 checks:\n  - 3a. Assumption audit\n  - 3b. Evidence balance\n  - 3c. Confidence calibration\n  - 3d. Alternative check\n  - 3e. Missing voices\n  - 3f. Internal consistency audit (cross-artifact validation)\n  - 3g. Analytical bias scan (sycophancy, anchoring, vividness, completion, authority)\n  - 3h. Quality score (quantitative 1-5 with pass/fail threshold)\n- **Layer 3** (before finalization): Human review gate — present summary (including quality score), incorporate feedback\n- **Auto-Remediation Gate** (between Phase A and Phase B): HIGH-severity Layer 2 flags (evidence imbalance >2:1, unstated critical premises, strong counter-arguments, sycophancy/anchoring bias, quality score < 3.0) trigger automatic remediation — the orchestrator invokes the iteration handler to collect targeted evidence, re-run flagged techniques (max 3), and regenerate the report before the user sees it. Capped at 1 cycle. Zero overhead when no HIGH flags exist.\n- **Critique-to-Iteration Bridge** (after results): Remaining MEDIUM/LOW flags from Layer 1 and Layer 2 are mapped to specific technique re-runs and evidence collection focuses, presented as ready-to-run `/analyze --iterate` commands. Only fires when actionable flags exist beyond what auto-remediation already addressed. All flags and their statuses are written to `next-steps.md` in the analysis root — a standalone ledger tracking OPEN, REMEDIATED, RESOLVED, and DEFERRED items across iterations. The `--iterate` handler reads this file as its primary input.\n\n## Citation Requirement\n\nEvery claim in every artifact must be cited. No exceptions. Citation methods:\n- **OSINT**: `[Source](URL)` — Retrieved: YYYY-MM-DD\n- **FILE**: `[filename:line_range]`\n- **USER**: `[User-provided, session context]`\n- **ANALYSIS**: `[Derived via technique_name]`\n- **PRIOR-ITERATION**: `[PRIOR-v{N}: technique_name]`\n\nOSINT is never presented as fact — always \"according to [source]\".\n\n## Reference Library\n\nFor deep background on any technique, read `library/00-prime.md` (relative to this skill's directory) and the specific library files referenced in each protocol. The library contains the full theoretical foundation, axioms, selection matrices, and empirical critiques underlying this skill.","tags":["structured","analysis","huntkit","assafkip","ach","agent-skills","anthropic","case-management","claude","claude-code","cyber","dfir"],"capabilities":["skill","source-assafkip","skill-structured-analysis","topic-ach","topic-agent-skills","topic-anthropic","topic-case-management","topic-claude","topic-claude-code","topic-cyber","topic-dfir","topic-digital-forensics","topic-due-diligence","topic-evidence-capture","topic-investigation"],"categories":["huntkit"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/assafkip/huntkit/structured-analysis","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add assafkip/huntkit","source_repo":"https://github.com/assafkip/huntkit","install_from":"skills.sh"}},"qualityScore":"0.467","qualityRationale":"deterministic score 0.47 from registry signals: · indexed on github topic:agent-skills · 35 github stars · SKILL.md body (8,921 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T12:57:16.094Z","embedding":null,"createdAt":"2026-04-18T22:22:25.392Z","updatedAt":"2026-05-01T12:57:16.094Z","lastSeenAt":"2026-05-01T12:57:16.094Z","tsv":"'-5':925 '..':192 '/analyze':68,75,81,89,96,106,114,121,130,172,327,421,468,1049 '/canonical/scope.md':302 '/investigation/evidence':291 '/investigation/findings':284 '/investigation/targets':275 '/investigation/timelines':297 '/output/analyses':225 '/q-collect':417 '/q-osint':415 '/q-scope':371,382 '/working':794 '0':451,744 '0.1':597 '1':334,720,724,770,858,924,962,1006,1027 '1/2':594 '18':32 '2':246,252,346,733,795,878,957,961,1030 '3':357,749,855,930,994 '3.0':974 '3a':888 '3b':891 '3c':894 '3d':897 '3e':900 '3f':903 '3g':911 '3h':920 '4':759 '5':834 '6':721,842 '8':886 'a/b':850 'abbrevi':118 'accord':1153 'accumul':825 'ach':35,147,530,682 'across':1088 'action':1055 'activ':202,211,230,259,332,570 'adapt':69,709 'add':335 'addit':265 'address':1064 'adjust':657 'adversari':127 'advocaci':162 'alreadi':583,650,1063 'also':684 'alt':167 'alt-futur':166 'altern':898 'alway':256,669,1152 'analys':220,567 'analysi':4,40,95,102,197,221,226,240,345,350,360,563,792,1076,1132 'analyt':10,45,53,882,912 'analyz':1,493 'anchor':916 'anyth':658 'apify/exa/jina':388 'appli':42 'architectur':851 'arg':747 'argument':457,667,703,736,969 'artifact':786,790,815,909,1106 'ask':234,680 'assess':12,27,54 'assumpt':16,37,510,599,889 'audit':890,906 'author':376,919 'auto':72,944,1061 'auto-remedi':943,1060 'auto-select':71 'automat':976 'avail':313 'awar':804 'axiom':1188 'b':952 'back':322,342 'background':799,1160 'balanc':893 'base':26,52,615 'becom':592 'belong':241 'beyond':1058 'bias':913,971 'bowti':158 'brainstorm':145 'bridg':1019 'built':405 'built-in':404 'calibr':896 'canon':377 'cap':1004 'case':203,212,231,238,260,333,571 'ch':38 'challeng':15 'check':129,865,887,899 'checklist':140 'chronolog':298 'cia/ic':9,43 'citat':30,341,1100,1112 'cite':59,1109 'claim':56,1103 'collect':250,262,279,305,363,391,413,427,985,1041 'combin':171 'command':1051 'compact':820 'compet':13,512 'complet':329,868,918 'complianc':864 'comprehens':122,123 'concern':497 'conduct':2 'confid':288,895 'confirm':612 'confirmed/assessed':285 'consist':905 'contain':439,1183 'context':452,484,601,645,677,699,777,824,1131 'contract':769 'convers':460,471,483,618,652,698 'correct':854 'could':532 'counter':968 'counter-argu':967 'counterfactu':156 'critic':964 'critiqu':885,1016,1193 'critique-to-iter':1015 'cross':150,908 'cross-artifact':907 'cross-impact':149 'custom':139 'customer-checklist':138 'cycl':1007 'data':300,477,589,647 'dd':1121 'decept':128,169 'decis':500 'deep':1159 'deeper':412 'defens':23,49 'defer':1086 'depend':803 'dependency-awar':802 'deriv':1133 'detect':757 'determin':737 'devil':161 'devils-advocaci':160 'dir':793 'direct':76,707,772 'directori':273,732,1171 'disabl':134 'discoveri':269,319 'discuss':473,502,590 'dispatch':797,846 'e.g':214,521,678 'earlier':689 'empir':1192 'event':299 'everi':55,60,217,1102,1105 'everyth':560 'evid':25,51,105,243,255,293,312,428,582,595,649,695,836,892,959,987,1040 'evidence-bas':24,50 'except':1111 'execut':429,723,762,768,774,782,785,810,840 'exist':94,213,566,700,1014,1057 'explan':513,527 'explicit':270,456,666,735,746 'extract':481 'fact':1151 'feed':320 'feedback':942 'file':248,254,318,375,585,646,688,828,1095,1122,1176 'filenam':1123 'fill':872 'final':932 'find':286,337,787,821 'fire':1053 'firecrawl':393 'first':418 'flag':170,365,537,639,641,740,958,991,1013,1024,1056,1066 'focus':1042 'folder':204 'follow':750,763 'foundat':1187 'full':29,101,125,831,1185 'futur':168 'gap':282,364 'gate':935,946 'gather':837 'generic':267,317 'glob':268 'go':533 'goe':199 'guid':82,83,173,561 'handler':983,1092 'handoff':788 'hat':165 'high':954,1012 'high-sever':953 'hint':505 'histori':461 'human':933 'hypothes':14,303,511 'id':222,227 'identifi':233 'imbal':960 'impact':151 'implicit':463,503,536 'in-context':775 'includ':34,257,692,938 'inconsist':148 'incorpor':941 'indic':541 'infer':453,602,627,631,635,640,745 'input':464,1099 'insid':200 'instruct':754 'integr':182,186,244 'intellig':263 'intern':904 'investig':180,190,224,274,283,290,296,301 'investigation-state.md':368 'investigation/findings':339 'investigations/case-001-slug':215 'invoc':67 'invok':467,980 'issu':142 'issue-redefinit':141 'item':1087 'iter':97,107,581,982,1018,1050,1089,1091,1139 'judgment':20,61 'kac':146 'key':36,336 'layer':856,857,877,929,956,1026,1029 'lean':115,116,546 'ledger':1080 'level':289 'librari':1157,1175,1182 'library/00-prime.md':1165 'line':1124 'link':480 'll':691 'local':247,253,311 'logic':444 'look':494,655 'm':523,623 'main':722,823 'map':517,1032 'matric':1190 'max':993 'medium/low':1023 'memory/investigation-state.md':348 'mention':509 'merg':741 'method':1113 'mid':470 'mid-convers':469 'miss':901 'mm':1120 'mode':70,77,84,117,124,440,630,632,710,738,758,773 'must':57,62,431,1107 'n':1143 'name':1136,1145 'narrat':157 'need':397 'never':1148 'new':104,362 'next-steps.md':1073 'no-osint':131,174,422,552 'note':384 'notic':685 'often':466 'one':79 'open':1082 'opportun':159 'orchestr':434,712,752,765,979 'osint':133,176,383,390,424,554,1114,1146 'output':66,193,198 'output/analyses':573 'overhead':1009 'overrid':195 'pars':455,734 'pass/fail':927 'past':588 'path':194,829 'per':847 'phase':88,849,948,951 'pick':624 'placehold':875 'preced':671 'premis':965 'premortem':155,535 'present':606,936,1043,1149 'primari':1098 'prime':784 'prior':562,644,1138,1141 'prior-iter':1137 'prior-v':1140 'priorit':314 'problem':7,475,485,626,628,717 'proceed':437,614,661,706 'produc':22,48,603 'profil':277 'project':207 'prompt':714 'protocol':435,779,863,1180 'protocol/template':809 'protocols/evidence-collector.md':841 'protocols/orchestrator.md':726 'protocols/report-generator.md':848 'provid':476,584,665,705,1129 'q':179,189,324 'qualiti':921,939,972 'quantit':923 'question':496 'quick':545 'rang':1125 'rational':633 'raw':292 're':99,109,989,1037 're-run':98,108,988,1036 'read':432,725,778,780,808,838,1093,1164 'readi':1046 'ready-to-run':1045 'red':164 'red-hat':163 'redefinit':143 'refer':218,1156 'referenc':1177 'regener':996 'relat':727,1166 'remain':1022 'remedi':945,977,1062,1083 'replac':216 'report':844,880,998 'requir':306,1101 'research':136,399,551 'resolv':1084 'restat':144 'result':321,605,1021 'resum':90,91,579 'retriev':1117 'return':817 'review':934 'richest':310 'right':529,656 'risk':514 'root':208,1077 'rout':441,448 'rubric':126 'run':78,100,110,328,356,420,990,1038,1048 'scan':458,914 'scenario':498,516 'score':922,940,973 'screenshot':295 'search':271 'section':871 'see':1002 'select':73,443,1189 'self':853,884 'self-correct':852 'self-critiqu':883 'session':1130 'set':120 'setup':783 'sever':955 'share':479,586,687 'silent':862,881 'skill':41,184,396,730,1169,1196 'skill-structured-analysis' 'someth':544 'sourc':1115,1155 'source-assafkip' 'specif':111,1034,1174 'standalon':1079 'statement':486,629,718 'status':280,1069 'step':450,596,719,743,867 'still':673 'stress':18 'stress-test':17 'strong':966 'structur':3,39,44 'subag':800,807 'suggest':370,578 'summari':351,822,826,937 'support':31 'sure':525 'surfac':361,674 'sycoph':915 'sycophancy/anchoring':970 'synthesi':845 'system':181,191,386 'tabl':449 'take':670 'target':276,986 'techniqu':11,33,46,65,74,80,112,119,137,354,442,447,504,520,634,636,761,767,771,796,812,832,861,992,1035,1135,1144,1163 'templat':781,870 'test':19 'theoret':1186 'threshold':928 'tier':245,251,593,805 'token':876 'tool':410 'topic':577 'topic-ach' 'topic-agent-skills' 'topic-anthropic' 'topic-case-management' 'topic-claude' 'topic-claude-code' 'topic-cyber' 'topic-dfir' 'topic-digital-forensics' 'topic-due-diligence' 'topic-evidence-capture' 'topic-investigation' 'trace':63 'track':1081 'tri':491 'trigger':975 'under':1194 'unfil':874 'unstat':963 'updat':93,330,347,380 'url':587,1116 'use':8,387,402,414,676 'user':236,374,465,490,508,540,610,664,1001,1126,1128 'user-provid':1127 'v':1142 'valid':178,598,910 'via':381,1134 'vivid':917 'voic':902 'walk':85,558 'want':543,549,556 'web':135,398,550 'webfetch':409 'websearch':407 'what-if':152 'win':748 'work':833 'write':789,813 'written':1071 'wrong':534 'yyyi':1119 'yyyy-mm-dd':1118 'zero':1008","prices":[{"id":"137786f7-cbbd-4874-9290-b5c98c295871","listingId":"acac2911-338f-4e0f-a169-b3cc5aebc669","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"assafkip","category":"huntkit","install_from":"skills.sh"},"createdAt":"2026-04-18T22:22:25.392Z"}],"sources":[{"listingId":"acac2911-338f-4e0f-a169-b3cc5aebc669","source":"github","sourceId":"assafkip/huntkit/structured-analysis","sourceUrl":"https://github.com/assafkip/huntkit/tree/main/skills/structured-analysis","isPrimary":false,"firstSeenAt":"2026-04-18T22:22:25.392Z","lastSeenAt":"2026-05-01T12:57:16.094Z"}],"details":{"listingId":"acac2911-338f-4e0f-a169-b3cc5aebc669","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"assafkip","slug":"structured-analysis","github":{"repo":"assafkip/huntkit","stars":35,"topics":["ach","agent-skills","anthropic","case-management","claude","claude-code","cyber","dfir","digital-forensics","due-diligence","evidence-capture","investigation","ioc","mcp","osint","security-research","structured-analysis","threat-hunting","threat-intelligence","tradecraft"],"license":"mit","html_url":"https://github.com/assafkip/huntkit","pushed_at":"2026-04-16T19:10:25Z","description":"Investigation toolkit for Claude Code: case management, OSINT, structured analytic techniques, chain-of-custody evidence capture, and bundled threat-intel MCP servers.","skill_md_sha":"dd36cad043581ac7ea7179fd19918e53550bb2de","skill_md_path":"skills/structured-analysis/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/assafkip/huntkit/tree/main/skills/structured-analysis"},"layout":"multi","source":"github","category":"huntkit","frontmatter":{"name":"analyze","description":"Conduct structured analysis on any problem using CIA/IC analytic techniques — assess competing hypotheses, challenge assumptions, stress-test judgments, and produce defensible evidence-based assessments with full citations. Supports 18 techniques including ACH, Key Assumptions Check, What-If, Premortem, Cross-Impact Matrix, Contrasting Narratives, Devil's Advocacy, Red Hat Analysis, Alternative Futures, and Deception Detection."},"skills_sh_url":"https://skills.sh/assafkip/huntkit/structured-analysis"},"updatedAt":"2026-05-01T12:57:16.094Z"}}