alert-investigation
Investigates a triggered observability alert and returns a structured diagnosis with likely cause, scope, and next steps.
How do I install this agent skill?
npx skills add https://github.com/launchdarkly/agent-skills --skill alert-investigationIs this agent skill safe to install?
- Gen Agent Trust Hubpass
The alert-investigation skill provides a robust and structured approach to diagnosing observability alerts using LaunchDarkly tools. However, it is susceptible to indirect prompt injection because it ingests and processes untrusted telemetry data (such as log messages and error stack traces) without explicit boundary markers or sanitization instructions for the agent.
- Socketpass
No alerts
- Snykpass
Risk: LOW · No issues
What does this agent skill do?
Alert investigation
You are investigating a specific triggered alert. Alerts arrive with structured context — an alert ID, name, threshold, value that crossed it, and a time range. Your job is to explain why it fired, assess scope, and recommend action.
Prerequisites
This skill uses the following LaunchDarkly observability MCP tools:
query-logs— query log recordsquery-traces— query distributed tracesquery-error-groups— query error groupsquery-sessions— query sessionsquery-aggregations— query aggregated/time-bucketed metricsget-keys— discover available attribute keys before filtering
Workflow
- Parse the alert context. The first turn of the conversation carries alert variables:
alertID,alertName,alertValue,group,groupValue,query,thresholdWindow,timeRange, plus a product-specific link. Use these, don't re-derive them. - Load the per-product companion. Based on the alert's product type, load the matching companion:
logs.md,traces.md,errors.md,sessions.md, ormetrics.md. Each captures the per-product investigation shape. - Run the investigation using the methodology from the investigate skill (cross-reference logs/traces/errors/sessions/metrics; cite identifiers; aggregate before paginating). Scoped to the alert's time range and filter.
- Produce a structured diagnosis. See output template below.
Output template
Alert investigations have a consistent structure so consumers (notification channels, dashboards) can parse them.
## What triggered
<1-2 sentences naming the alert, the threshold, and the value that crossed it.>
## Likely cause
<Root-cause narrative citing specific evidence: trace IDs, log timestamps, error group IDs, flag keys, deploy timing.>
## Scope
<Who or what is affected. Number of users, services, sessions, error groups. Time window of impact.>
## Next steps
<1-3 concrete actions the on-call or owner should take. Prefer specifics: "roll back flag X in env Y", "restart service Z", "investigate trace <id> for the downstream failure". Avoid "investigate further" — if you don't have a root cause, say what specifically should be investigated and how.>
When to load which companion
logs.md— log alert, log pattern alerttraces.md— latency alert, trace-error-rate alert, span-specific alerterrors.md— error-rate alert, new-error-group alert, crash-rate alertsessions.md— session-health alert, user-facing-error-rate alertmetrics.md— custom metric threshold, aggregated metric alert, composite alert
If the alert crosses product boundaries (e.g. a metric alert driven by error data), load both companions.
Guidelines
- Stay tight. Alert investigations feed notifications — keep the output structured and scannable. No preamble ("Here is my analysis..."), no repeated framing.
- Cite identifiers. Every claim in the diagnosis should reference a specific trace ID, error group ID, session ID, or log timestamp.
- If the alert appears to be noise, say so explicitly — "This alert fired because of <X>, but the underlying behavior is within normal variance because <Y>". Noise is a legitimate outcome; don't invent root causes.
- Don't redo the investigation you just did. The diagnosis output should let the on-call act without re-querying.
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/launchdarkly/agent-skills/alert-investigation">View alert-investigation on skillZs</a>