← Back to Skills Marketplace
afrexai-cto

Incident Response Plan

by afrexai-cto · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ✓ Security Clean
143
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install afrexai-incident-response-plan
Description
Generate a tailored incident response plan for AI agent deployments and SaaS operations. Covers detection, triage, containment, recovery, and post-mortem. Us...
README (SKILL.md)

Incident Response Plan Generator

Generate a production-ready incident response plan tailored to your AI agent deployment.

When to Use

  • Deploying AI agents to production for the first time
  • Preparing for SOC2 or ISO 27001 audits
  • Client asks "what happens when something breaks?"
  • Building operational runbooks for managed AI services
  • After an incident — to prevent recurrence

Input

Service: [Name of AI agent/service]
Environment: [cloud provider, region, architecture]
Data Sensitivity: [low/medium/high/critical]
Team Size: [number of responders]
SLA: [uptime target, e.g., 99.9%]
Integrations: [list of connected systems]

Plan Structure

1. Severity Classification

Level Description Response Time Examples
SEV1 — Critical Service down, data breach, financial impact 15 min Agent sending wrong data to clients, API keys exposed
SEV2 — High Degraded service, partial outage 1 hour Agent responses slow, one integration failing
SEV3 — Medium Non-critical issue, workaround exists 4 hours Minor accuracy drop, cosmetic errors
SEV4 — Low Enhancement, no immediate impact Next business day Feature request, optimization

2. Detection & Alerting

  • Health check endpoints (every 60s)
  • Error rate thresholds (>1% = SEV3, >5% = SEV2, >25% = SEV1)
  • Response time monitoring (p99 > 2x baseline = alert)
  • Cost anomaly detection (>150% daily average)
  • Output quality sampling (random audit of agent responses)
  • Uptime monitoring (UptimeRobot, Pingdom, or custom)

3. Triage Checklist

□ Confirm the alert is real (not false positive)
□ Classify severity (SEV1-4)
□ Identify affected scope (which agents, which clients)
□ Check recent changes (deploys, config changes, upstream)
□ Assign incident commander
□ Open incident channel/thread
□ Notify affected stakeholders per SLA

4. Containment Actions by Type

Agent Misbehavior:

  • Pause agent processing (kill switch)
  • Revert to last known good config
  • Enable human-in-the-loop mode
  • Queue messages for manual review

Infrastructure Failure:

  • Failover to backup region/instance
  • Scale horizontally if capacity issue
  • Check upstream dependencies (API providers, databases)
  • Enable circuit breakers

Security Incident:

  • Rotate all credentials immediately
  • Isolate affected systems
  • Preserve logs and evidence
  • Engage security team / legal if data breach

Data Quality Issue:

  • Halt automated outputs
  • Identify contamination window
  • Notify affected clients with timeline
  • Prepare correction batch

5. Communication Templates

Client notification (SEV1/2):

Subject: [Service Name] — Incident Update

We've identified an issue affecting [description].
- Impact: [what's affected]
- Status: [investigating/identified/monitoring/resolved]
- ETA: [estimated resolution time]
- Workaround: [if available]

We'll provide updates every [30 min / 1 hour].

Internal escalation:

🚨 SEV[X] — [Service]: [Brief description]
Impact: [scope]
Started: [time]
Commander: [name]
Channel: [link]
Action needed: [specific ask]

6. Recovery & Validation

□ Root cause identified and documented
□ Fix deployed and verified
□ All affected data corrected/reconciled
□ Client communication sent (resolution)
□ Monitoring confirms stable for 30+ min
□ Incident timeline documented

7. Post-Mortem Template

# Incident Post-Mortem: [Title]
**Date:** YYYY-MM-DD
**Severity:** SEV[X]
**Duration:** [start] — [end] ([total time])
**Commander:** [name]

## Summary
[2-3 sentence description]

## Timeline
- HH:MM — [event]
- HH:MM — [event]

## Root Cause
[Technical root cause]

## Impact
- Users affected: [number]
- Duration: [time]
- Data impact: [description]
- Financial impact: [if applicable]

## What Went Well
- [item]

## What Went Wrong
- [item]

## Action Items
| Action | Owner | Due Date | Status |
|--------|-------|----------|--------|
| [item] | [name] | [date] | Open |

## Lessons Learned
- [lesson]

Best Practices

  • Test your incident response plan quarterly (tabletop exercises)
  • Keep runbooks next to the code they support
  • Automate detection — humans are slow at noticing things
  • Over-communicate during incidents — silence breeds anxiety
  • Blameless post-mortems — focus on systems, not people
  • Track MTTR (mean time to recover) as your north star metric

Need incident response built into your AI operations from day one? AfrexAI deploys production-grade AI agents with monitoring, alerting, and response plans included. Book a call: calendly.com/cbeckford-afrexai/30min

Usage Guidance
This skill is a benign, self-contained template for drafting incident response plans. Before using it: 1) avoid pasting secrets, full credentials, or sensitive incident evidence into the prompt or inputs (the skill does not need them to produce a plan); 2) treat links in README/skill (e.g., calendly) as marketing and do not assume data is being sent to those endpoints by the skill itself; 3) if you intend to operationalize the generated plan, review and adapt its technical steps to your environment (e.g., kill-switch commands, credential rotation procedures) rather than copy-pasting blindly; and 4) if you plan to have an agent act on the plan, ensure that agent's runtime permissions and credential access are appropriately scoped — the skill itself does not request any credentials but executing remediation actions may require them.
Capability Assessment
Purpose & Capability
The name and description promise an incident response plan generator and the SKILL.md/README provide templates, severity classification, triage checklists, containment actions, communication templates, recovery/POST-mortem templates and best practices — all aligned with the stated purpose.
Instruction Scope
Runtime instructions are purely declarative templates and checklists for building an IR plan. They do not direct the agent to read local files, access environment variables, call external APIs, or transmit data to third-party endpoints beyond a single marketing calendly link; there is no scope creep or hidden collection instructions.
Install Mechanism
No install spec and no code files — this is instruction-only. Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables, secrets, or config paths. It does not ask for credentials or unrelated service tokens; requested inputs are high-level (service, environment, sensitivity, team size, etc.) appropriate for generating a plan.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent presence, nor does it attempt to modify other skills or system settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install afrexai-incident-response-plan
  3. After installation, invoke the skill by name or use /afrexai-incident-response-plan
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Initial release of incident-response-plan skill for AI agent deployments and SaaS operations. - Generates a comprehensive, production-ready incident response plan covering detection, triage, containment, recovery, and post-mortem. - Provides clear severity classifications, checklists, communication templates, and best practices. - Useful for first-time production deployments, SOC2/ISO 27001 audit prep, client assurances, and operational resilience building.
Metadata
Slug afrexai-incident-response-plan
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Incident Response Plan?

Generate a tailored incident response plan for AI agent deployments and SaaS operations. Covers detection, triage, containment, recovery, and post-mortem. Us... It is an AI Agent Skill for Claude Code / OpenClaw, with 143 downloads so far.

How do I install Incident Response Plan?

Run "/install afrexai-incident-response-plan" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Incident Response Plan free?

Yes, Incident Response Plan is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Incident Response Plan support?

Incident Response Plan is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Incident Response Plan?

It is built and maintained by afrexai-cto (@afrexai-cto); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments