← 返回 Skills 市场
wroadd

Alert Triage

作者 Peter Zsak · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ✓ 安全检测通过
92
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install alert-triage
功能描述
Normalize and classify alerts by urgency, trust, and audience to decide send-now, batch-later, ignore, suppress-as-duplicate, or escalate actions.
使用说明 (SKILL.md)

Alert Triage

Use this skill to turn a stream of alerts into a clear policy and response model.

Core principle

Do not start with channels or tools. Start with the decision.

For each alert, decide:

  1. Is it actionable?
  2. Is it urgent?
  3. Is it trustworthy?
  4. Is it new information?
  5. Who actually needs it?
  6. Should it be immediate, batched, suppressed, ignored, or escalated?

Output model

Classify each alert into one of these outcomes:

  • send-now
  • batch-later
  • ignore
  • suppress-as-duplicate
  • escalate

When helpful, also assign:

  • severity: critical | high | medium | low | info
  • confidence: high | medium | low
  • audience: operator | owner | team | system
  • timing: immediate | next-digest | business-hours | maintenance-window

Workflow

1. Normalize the signal

Convert the raw notification into a compact event record:

  • source type
  • event summary
  • likely impact
  • affected system or workflow
  • first seen time
  • repeat count if known
  • current evidence

If the source is noisy or ambiguous, rewrite it into one sentence before classifying it.

2. Check actionability

Ask:

  • Can someone do something useful now?
  • Does delay make the outcome materially worse?
  • Is there a clear owner or audience?

If not actionable, prefer ignore or batch-later.

3. Score urgency

Urgency increases when:

  • revenue, uptime, data safety, or customer experience is at risk
  • the problem is time-sensitive or irreversible
  • the signal indicates active degradation, not just a threshold crossing
  • the event affects many users or critical workflows

Urgency decreases when:

  • the event is informational only
  • the issue is self-healing or reversible
  • the metric fluctuation is within normal variance
  • the event is outside service relevance or ownership

4. Check trust and evidence

Before escalating, check whether the alert is:

  • from a trustworthy source
  • supported by more than one signal
  • already acknowledged elsewhere
  • likely a false positive or transient blip

Low-trust alerts should usually not page people unless impact is potentially severe.

5. Deduplicate and suppress

Treat an alert as a duplicate when it repeats the same underlying issue within the same suppression window.

Use a suppression key based on the smallest stable combination that identifies the problem, for example:

  • source
  • affected component
  • error family
  • environment
  • severity bucket

Suppress duplicates when the new event adds no meaningful information.

Do not suppress when the event shows:

  • a severity increase
  • wider blast radius
  • longer duration than expected
  • a new affected component
  • failure of a previous recovery attempt

6. Route by audience

Route based on who can act, not who might be interested.

Default pattern:

  • critical and actionable, immediate owner plus escalation path
  • high, owner or operating team quickly
  • medium, working queue or next digest unless time-sensitive
  • low and info, digest or ignore

7. Apply timing policy

Use timing rules such as:

  • immediate if impact is active and delay is costly
  • next digest if useful but not urgent
  • business hours if action can safely wait
  • maintenance window if the alert is expected during change work

Quiet hours should reduce noise, but not hide critical actionable events.

8. Produce final policy output

Return a concise table or bullet list with:

  • normalized alert
  • severity
  • final outcome
  • audience
  • timing
  • rationale
  • suppression key or digest bucket when relevant

Recommended output template

## Alert triage result

| Alert | Severity | Outcome | Audience | Timing | Reason |
|------|----------|---------|----------|--------|--------|
| [normalized alert] | high | send-now | operator | immediate | customer-facing outage with clear action |
| [normalized alert] | low | batch-later | owner | next-digest | useful trend, no urgent action |
| [normalized alert] | medium | suppress-as-duplicate | system | current window | same root issue, no new information |

Decision heuristics

Prefer send-now when all are true:

  • actionable
  • time-sensitive
  • trusted enough
  • meaningful impact

Prefer batch-later when:

  • action exists, but delay is acceptable
  • the alert is useful as pattern context
  • the event is better understood in aggregate

Prefer ignore when:

  • no action is needed
  • the event is vanity noise
  • the source is too weak without corroboration

Prefer suppress-as-duplicate when:

  • it is the same incident inside the suppression window
  • nothing important changed

Prefer escalate when:

  • severity increased
  • the response owner did not act in time
  • business impact crossed a threshold
  • the event exceeded duration or repetition limits

Privacy and portability rules

Keep outputs reusable and marketplace-safe.

Do not include:

  • personal phone numbers
  • private email addresses
  • real user names
  • internal channel IDs
  • device nicknames
  • company secrets
  • private endpoints or tokens

Use abstract placeholders instead:

  • primary-on-call
  • ops-channel
  • business-owner
  • customer-alerts
  • critical-systems

References

Read these when needed:

  • references/policies.md for reusable policy patterns
  • references/examples.md for worked examples
安全使用建议
This skill is a focused, instruction-only policy and appears internally consistent. Before installing: (1) confirm you will not feed real secrets or private endpoints into the agent prompts when using it, (2) test the skill in a staging environment with sanitized alerts to ensure its routing and suppression heuristics align with your org policies, (3) review and adapt suppression windows, escalation rules, and audience mappings to match your on-call rotations and SLAs, and (4) monitor early runs to ensure the skill does not omit critical alerts or over-suppress. If you need the agent to act on alerts (send pages, post to channels), prefer granting only the minimal outbound/send permissions to the agent and validate destinations first.
功能分析
Type: OpenClaw Skill Name: alert-triage Version: 1.0.1 The skill bundle provides a structured framework for an AI agent to perform alert triage and deduplication. It contains no executable code, network requests, or file system access, and explicitly includes privacy rules in SKILL.md that forbid the inclusion of secrets, PII, or internal identifiers in the output.
能力评估
Purpose & Capability
Name, description, and files all describe alert normalization and triage heuristics; there are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope
SKILL.md stays focused on classifying alerts, deduplication, timing, routing, and producing a sanitized policy output. It explicitly forbids including private endpoints, tokens, phone numbers, or other secrets. It does not instruct reading system files, shell history, or unrelated environment variables.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk writes and arbitrary code execution risk.
Credentials
The skill requires no environment variables, credentials, or config paths. The guidance about redacting private data is appropriate and proportional to the skill's function.
Persistence & Privilege
always:false and no instructions to modify other skills or system-wide settings. Autonomous invocation is allowed by default but the skill itself does not request elevated persistence or cross-skill config changes.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install alert-triage
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /alert-triage 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Remove non-runtime checklist reference from the published skill package; keep runtime references focused on policies and examples.
v1.0.0
Initial release: OpenClaw-first alert triage, dedupe, routing, digest, and escalation policy skill.
元数据
Slug alert-triage
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Alert Triage 是什么?

Normalize and classify alerts by urgency, trust, and audience to decide send-now, batch-later, ignore, suppress-as-duplicate, or escalate actions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。

如何安装 Alert Triage?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install alert-triage」即可一键安装,无需额外配置。

Alert Triage 是免费的吗?

是的,Alert Triage 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Alert Triage 支持哪些平台?

Alert Triage 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Alert Triage?

由 Peter Zsak(@wroadd)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论