anomaly-alert
The anomaly-alert skill detects unusual patterns in Claude Code Agent Monitor sessions by analyzing cost, duration, error rates, and token usage against statistical baselines. Users invoke it with optional parameters specifying anomaly types or sensitivity levels, and it retrieves historical session data to compute means, standard deviations, and percentiles, then flags sessions exceeding threshold values as critical, warning, or informational anomalies with recommended actions.
git clone --depth 1 https://github.com/hoangsonww/Claude-Code-Agent-Monitor /tmp/anomaly-alert && cp -r /tmp/anomaly-alert/plugins/ccam-insights/skills/anomaly-alert ~/.claude/skills/anomaly-alertSKILL.md
# Anomaly Alert Detect anomalous sessions in Claude Code Agent Monitor data. ## Input The user provides: **$ARGUMENTS** This may be: - "all" or empty (default: check all anomaly types) - "cost" for cost anomalies only - "duration" for duration anomalies only - "errors" for error rate anomalies only - A sensitivity level: "strict" (1σ), "normal" (2σ), "relaxed" (3σ) ## Procedure 1. **Fetch baseline data** from `http://localhost:4820`: - `GET /api/sessions?limit=500` — historical sessions for baseline - `GET /api/analytics` — aggregated metrics - `GET /api/pricing/cost` — cost data per session 2. **Compute baselines** for each metric: - Mean, median, standard deviation - P25, P75, P90, P95, P99 percentiles - Interquartile range (IQR) for robust outlier detection 3. **Detect anomalies** using statistical thresholds: ### Cost Anomalies - Sessions costing >2σ above mean - Single sessions exceeding daily average - Sudden cost spikes (session-over-session increase >200%) ### Duration Anomalies - Sessions lasting >2σ above mean duration - Extremely short sessions (<1 minute) that still incur cost - Sessions with unusual active-vs-idle ratios ### Error Rate Anomalies - Sessions with error rates >2σ above baseline - New error types not seen in previous sessions - Sessions with >3 consecutive tool failures ### Behavioral Anomalies - Unusual tool combinations not seen before - Sessions with abnormally high compaction counts - Model switches mid-session (if unexpected) - Sessions with no tool usage (pure conversation) ### Token Anomalies - Input/output token ratio far from historical norm - Cache miss rate significantly higher than average - Token usage growing faster than session count 4. **Classify each anomaly**: - **🔴 Critical**: Likely indicates a real problem requiring attention - **🟡 Warning**: Unusual but may be expected for certain tasks - **🔵 Info**: Interesting deviation worth noting ## Output Format Present as an **Anomaly Report**: ``` ═══════════════════════════════════════════════ ANOMALY DETECTION REPORT Analyzed: N sessions | Baseline: last 30 days Anomalies found: N (🔴 N critical, 🟡 N warn, 🔵 N info) ═══════════════════════════════════════════════ ``` For each anomaly: - Session ID and timestamp - Anomaly type and severity - Observed value vs expected range - Possible explanation - Recommended action (if any)
Operate and maintain the local MCP server for this repository. Use for MCP tool updates, policy-guard changes, host configuration, and MCP runtime troubleshooting.
Run release-readiness checks for this repository. Use when validating docs, scripts, verification coverage, and operational safety before merge or release.
Understand this repository quickly before making changes. Use for architecture discovery, ownership mapping, command selection, and initial implementation planning.
Review backend route and hook logic for regressions, data integrity risks, and missing tests.
Review React UI changes for behavior regressions, state consistency, and UX breakage.
Review MCP server changes for tool safety, schema quality, and host integration correctness.
Debug production-like issues in this repository with disciplined evidence gathering. Use when fixing failing workflows, regressions, flaky behavior, or data inconsistencies across hooks, API, DB, websocket, and UI.
Operate and maintain the local MCP server for this project. Use when creating MCP host config, troubleshooting tool connectivity, modifying tool domains, or adjusting safety policy flags.