← Back to Skills Marketplace
ggettert

Incident Triage

by Grace Gettert · GitHub ↗ · v0.3.0 · MIT-0
cross-platform ✓ Security Clean
152
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install incident-triage
Description
Structured incident triage for alerts from any monitoring source. Five-step framework: classify severity, scope blast radius, correlate with recent changes,...
README (SKILL.md)

Incident Triage

Structured incident triage for alerts from any monitoring source. Five steps, consistent every time.

Pass in the raw alert message, a link to the alert, or a description of what's happening.

Triage Process

When an alert appears:

  1. Classify — what type and severity?
  2. Scope — blast radius: who's affected, which environment, since when?
  3. Correlate — what changed recently? Check deploys, merges, config changes
  4. Investigate — guided checks based on alert type
  5. Act — summarize, create ticket, escalate or close

Read references/triage-framework.md for the full framework with checklists and bash snippets for each step.

Alert Parsing

Before starting the triage framework, identify the alert source and extract key fields.

Read references/alert-patterns.md for patterns covering PagerDuty, Datadog, CloudWatch, Sentry, uptime monitors, GitHub Actions, AWS SNS/EventBridge, and custom webhooks.

Escalation

When to page, when to watch, when to close. Severity-based response times and communication templates.

Read references/escalation-guide.md for defaults — customize for your team's on-call structure.

Runbook

During Step 4 (Investigate), load references/runbook-template.md to find service health endpoints, dashboards, log locations, and common fixes.

⚠️ This file is a template — it must be filled in before use. If it still contains \x3C!-- placeholder comments, tell the user to populate it with their actual infrastructure before relying on it during an incident.

Scripts

The scripts/ directory contains helper scripts for the correlation and action steps:

  • scripts/correlate-recent-deploys.sh — list recent CI/CD runs for a repo (Step 3)
  • scripts/correlate-recent-merges.sh — list recently merged PRs for a repo (Step 3)
  • scripts/create-incident-issue.sh — create a GitHub incident issue (Step 5)

Works Well With

  • github (Step 3 — Correlate): check recent deploys, merged PRs, and CI run history for affected repos
  • aws-ecs-monitor (Step 4 — Investigate): ECS service health, ALB targets, and CloudWatch logs for downtime and resource alerts
  • gh-issues (Step 5 — Act): create incident tickets automatically

References

Usage Guidance
This skill appears coherent and implements a structured triage workflow. Before installing or running it: (1) ensure the `gh` CLI is installed and authenticated with a GitHub token that has only the scopes you intend (issue creation / repo read as needed); the helper scripts call `gh` locally and rely on that existing auth. (2) Populate the runbook template (references/runbook-template.md) with your real endpoints, on-call contacts, and accounts — do not rely on placeholder content during a real incident. (3) Confirm that any agent identity you give permission to invoke this skill has least privilege (e.g., narrow GitHub repo access) because the skill can create issues and query runs. (4) If you do not want the agent to take automated actions (create tickets) consider limiting autonomous invocation or requiring explicit user confirmation before running the action scripts. (5) Test the scripts in a non-production repo/environment first so you can validate behavior and permissions.
Capability Analysis
Type: OpenClaw Skill Name: incident-triage Version: 0.3.0 The incident-triage skill bundle provides a structured framework and helper scripts for managing system alerts. The scripts (correlate-recent-deploys.sh, correlate-recent-merges.sh, and create-incident-issue.sh) use the official GitHub CLI (gh) to perform actions consistent with the stated purpose of triaging deployments and creating incident tickets. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Capability Tags
requires-sensitive-credentials
Capability Assessment
Purpose & Capability
The name/description (incident triage, correlate deploys/merges, create incident issues) match the included assets: triage docs, runbook template, and three small helper scripts that use the `gh` CLI. There are no requests for unrelated capabilities (no unexpected cloud credentials, remote downloads, or unrelated binaries).
Instruction Scope
SKILL.md stays within triage responsibilities: classify, scope, correlate, investigate, act. It references local reference files and the helper scripts and tells operators to consult dashboards and logs. It does not instruct the agent to read arbitrary system files or exfiltrate data. Note: the runbook template explicitly contains placeholders and must be populated before use; the skill warns about this.
Install Mechanism
No install spec — instruction-only with three small scripts included. No remote downloads or archive extraction. This is low-risk from an install standpoint.
Credentials
The skill does not declare required env vars, but the scripts and docs rely on external tooling (notably the `gh` CLI) and access to monitoring/UIs (PagerDuty, Datadog, CloudWatch, Sentry, etc.). This is coherent but users must provide appropriate CLI configuration / credentials externally. The skill does not itself demand unrelated secrets, but creating issues or querying runs requires GitHub credentials (via `gh` auth) and deeper investigation will require service-specific credentials which are not provided by the skill.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges. It can be invoked autonomously by the agent (platform default) — normal for skills. There is no evidence it modifies other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install incident-triage
  3. After installation, invoke the skill by name or use /incident-triage
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.3.0
Add scripts/ for deploy correlation and incident ticket creation; add TOC to alert-patterns.md and triage-framework.md; improve Works Well With section with step-level guidance; add runbook template warning; fix GNU date format bug in correlate-recent-deploys.sh
v0.2.0
Beta release. Five-step triage framework covering classify, scope, correlate, investigate, and act. Supports PagerDuty, Datadog, CloudWatch, Sentry, GitHub Actions, uptime monitors, and custom webhooks. Includes customizable escalation guide and runbook template.
Metadata
Slug incident-triage
Version 0.3.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Incident Triage?

Structured incident triage for alerts from any monitoring source. Five-step framework: classify severity, scope blast radius, correlate with recent changes,... It is an AI Agent Skill for Claude Code / OpenClaw, with 152 downloads so far.

How do I install Incident Triage?

Run "/install incident-triage" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Incident Triage free?

Yes, Incident Triage is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Incident Triage support?

Incident Triage is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Incident Triage?

It is built and maintained by Grace Gettert (@ggettert); the current version is v0.3.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments