Structured incident triage for alerts from any monitoring source. Five-step framework: classify severity, scope blast radius, correlate with recent changes,...
Security Analysis
high confidenceThe skill's files and instructions align with an incident-triage helper: included scripts call the GitHub CLI for correlation and issue creation, and the docs/rundown match the stated purpose — nothing in the bundle tries to do unrelated or hidden work.
The name/description (incident triage, correlate deploys/merges, create incident issues) match the included assets: triage docs, runbook template, and three small helper scripts that use the `gh` CLI. There are no requests for unrelated capabilities (no unexpected cloud credentials, remote downloads, or unrelated binaries).
SKILL.md stays within triage responsibilities: classify, scope, correlate, investigate, act. It references local reference files and the helper scripts and tells operators to consult dashboards and logs. It does not instruct the agent to read arbitrary system files or exfiltrate data. Note: the runbook template explicitly contains placeholders and must be populated before use; the skill warns about this.
No install spec — instruction-only with three small scripts included. No remote downloads or archive extraction. This is low-risk from an install standpoint.
The skill does not declare required env vars, but the scripts and docs rely on external tooling (notably the `gh` CLI) and access to monitoring/UIs (PagerDuty, Datadog, CloudWatch, Sentry, etc.). This is coherent but users must provide appropriate CLI configuration / credentials externally. The skill does not itself demand unrelated secrets, but creating issues or querying runs requires GitHub credentials (via `gh` auth) and deeper investigation will require service-specific credentials which are not provided by the skill.
always is false and the skill does not request persistent system-level privileges. It can be invoked autonomously by the agent (platform default) — normal for skills. There is no evidence it modifies other skills or system-wide settings.
Guidance
This skill appears coherent and implements a structured triage workflow. Before installing or running it: (1) ensure the `gh` CLI is installed and authenticated with a GitHub token that has only the scopes you intend (issue creation / repo read as needed); the helper scripts call `gh` locally and rely on that existing auth. (2) Populate the runbook template (references/runbook-template.md) with your real endpoints, on-call contacts, and accounts — do not rely on placeholder content during a real incident. (3) Confirm that any agent identity you give permission to invoke this skill has least privilege (e.g., narrow GitHub repo access) because the skill can create issues and query runs. (4) If you do not want the agent to take automated actions (create tickets) consider limiting autonomous invocation or requiring explicit user confirmation before running the action scripts. (5) Test the scripts in a non-production repo/environment first so you can validate behavior and permissions.
Latest Release
v0.3.0
Add scripts/ for deploy correlation and incident ticket creation; add TOC to alert-patterns.md and triage-framework.md; improve Works Well With section with step-level guidance; add runbook template warning; fix GNU date format bug in correlate-recent-deploys.sh
More by @ggettert
Published by @ggettert on ClawHub
