정보
이 Claude Skill은 발견 사항이나 판단에서 허위 긍정을 엄격하게 걸러내기 위해 중재자와 함께 3라운드 자체 도전을 구현합니다. 배포 차단이나 신뢰할 수 있는 보고서 작성과 같이 허위 긍정 차단 게이트가 큰 비용을 초래할 수 있는 고위험 시나리오를 위해 설계되었습니다. 이 스킬은 검증 과정에서 코드와 문서 경로를 검토하기 위해 Read, Grep, Bash와 같은 도구를 사용합니다.
빠른 설치
Claude Code
추천npx skills add avelikiy/great_cto -a claude-code/plugin add https://github.com/avelikiy/great_ctogit clone https://github.com/avelikiy/great_cto.git ~/.claude/skills/skeptical-triageClaude Code에서 이 명령을 복사하여 붙여넣어 스킬을 설치하세요
문서
Skeptical Triage
Filter false positives from multi-angle review, security audit, QA regression flags, or any high-stakes judgment before it turns into a blocker.
Three rounds of skeptical self-review + an impartial arbiter, with a confidence score from the vote.
When to invoke
| Caller | Finding type | Apply triage? |
|---|---|---|
/review | Angle 2/4/7/9 P0/P1 (security, SQL, privacy, concurrency) | Yes |
/review --deep | Any angle P0/P1 | Yes |
security-officer | CSO audit P0/P1 | Yes |
security-officer | Secret in source/git, confirmed CVE | No — hard finding |
qa-engineer | Flaky-test verdict (is this a regression or flake?) | Yes |
architect | ADR trade-off dispute (option A vs. B when both look reasonable) | Yes |
| Any | P2/advisory | No |
The 4-step pattern
Run these sequentially. Each round sees prior reasoning. Arbiter sees all rounds.
Round 1 — Reachability / Premise
Question: is the premise true?
- For security/reliability: can an external attacker reach this code path with untrusted input? Trace input flow backward from the bug site to its origin. If only trusted internal callers → lean INVALID.
- For regressions: does the failing behavior reproduce from a clean state on the target branch?
- For ADR trade-offs: is the constraint that forces the choice actually binding? (e.g. "we need <10ms p99" — is that real or aspirational?)
Output: {round: 1, verdict: VALID|INVALID|UNCERTAIN, reasoning: "...", crux: "single key fact"}
Round 2 — Verify cited defenses / counter-evidence
Question: are claimed defenses real and sufficient?
- Every cited defense → use
Grepto find its actual implementation line. - Resolve constant names to numeric values.
MAX_BUF_SIZEis not a verified bound —#define MAX_BUF_SIZE 64is. - For regressions: is the cited "test covers this" actually asserting the right invariant?
- For ADR: is the cited benchmark/precedent real (grep for it, read it), or rumored?
If you cannot point to the line that enforces the defense, it does not exist.
Output: same JSON shape, with grep_used: true/false.
Round 3 — Missed angles
Question: what did Rounds 1-2 not consider?
- Error paths, integer overflow, race windows, different callers, platform differences
- Do NOT rehash prior rounds — add new evidence or concede
- For QA: retry logic masking the failure? Test pollution from another test?
- For ADR: option C that neither reviewer raised?
Output: same JSON shape.
Arbiter
Input: all 3 rounds + original finding/question + source code.
Question: final call — which side has the stronger evidence?
- Deliver single
verdict: VALID|INVALID(no UNCERTAIN — make the call). - Deliver one-sentence
crux— the key fact the verdict turns on. - If 3 prior rounds all said the same thing, only override with overwhelming new evidence and explain why.
Output:
{
"verdict": "VALID",
"crux": "memcpy at auth.c:142 copies network-controlled len bytes into 64-byte stack buffer with no bound check",
"reasoning": "Rounds 1 and 3 verified attacker reach; Round 2 found no size check in 50 LOC radius; arbiter confirms no caller clamps len."
}
Hard rules
Burn these into every round's prompt:
- Absence of defense → VALID, not UNCERTAIN. If you searched for a defense and did not find one, that is the answer. "Other code probably handles this" is not a valid defense.
- A constant name is not a verified bound — only its resolved value is. Grep for the
#define/constdeclaration. - Name the line or it does not exist. Vague references to "assumptions in this codebase" do not count.
- Do not contradict your own conclusion in the same response. If you verified a defense is insufficient, that is the verdict. Stop searching for reasons to flip.
- Code quality issue ≠ security vulnerability. Data race on diagnostic state, NULL check on internal-only API, UB only in debug builds → INVALID.
- Trust your own reasoning. If you see the crux on first read, don't manufacture a counter-argument.
Confidence scoring
confidence = valid_rounds_before_arbiter / 3
100%(VVV) — 3/3 rounds VALID. Arbiter rubber-stamps unless it finds something brand-new.67%(VVI or VIV or IVV) — majority VALID. Arbiter breaks tie with new evidence.33%(IIV or IVI or VII) — majority INVALID. Arbiter usually confirms INVALID.0%(III) — 3/3 INVALID. Arbiter rarely overrides.
Arbiter overrides the final verdict; confidence reflects the round vote for transparency. Record both in the output so humans can see where the arbiter diverged.
Applying triage results to severity
Once the arbiter returns:
| Arbiter verdict | Confidence | Severity action |
|---|---|---|
VALID | ≥ 50% | Keep original severity |
VALID | < 50% | Demote: P0→P1, P1→P2 |
INVALID | any | Remove from gate tally, record as [FILTERED] in report for audit |
UNCERTAIN (only if arbiter could not decide) | n/a | Keep original severity, flag for manual CTO review |
Output schema
Every caller logs triage results to .great_cto/triage-log.jsonl (append-only, one JSON per line):
{
"timestamp": "2026-04-19T12:34:56Z",
"caller": "review|security-officer|qa-engineer|architect",
"finding_id": "SEC-042",
"file": "src/auth.c:142",
"original_severity": "P0",
"rounds": [
{"round": 1, "verdict": "VALID", "crux": "..."},
{"round": 2, "verdict": "VALID", "crux": "...", "grep_used": true},
{"round": 3, "verdict": "INVALID", "crux": "..."}
],
"arbiter": {"verdict": "VALID", "crux": "..."},
"confidence": 0.67,
"final_severity": "P0"
}
This log is how we measure whether triage earns its keep. Review it weekly:
# False-positive rate: how many findings the arbiter flipped to INVALID
jq 'select(.arbiter.verdict=="INVALID")' .great_cto/triage-log.jsonl | wc -l
# Average rounds-to-consensus (did we need all 3 or did R1+R2 agree?)
jq '[.rounds[].verdict] | unique | length' .great_cto/triage-log.jsonl
If FP rate < 10% after 50 triages — triage is filtering noise that wasn't there. Lower threshold or skip triage for that angle. If FP rate > 40% — original review prompt is too trigger-happy; tighten the angle rules.
Token budget
Per triaged finding: ~4 LLM turns (3 rounds + arbiter). At typical review sizes (~5-10 triaged findings per PR), total budget: 20-40 extra turns per /review. Batch when possible — one arbiter can handle multiple findings in a single call if their cruxes are independent.
For cost-sensitive runs (approval-level: auto on a huge PR), consider: triage only P0, leave P1 untriaged. Re-tune based on .great_cto/triage-log.jsonl data.
Anti-patterns
- Don't triage P2/advisory findings. The whole point is gate decisions. P2 is advisory — let the author see it and move on.
- Don't let rounds rehash each other. Round 3 prompt must say "add NEW evidence or concede." If 3 rounds produce identical reasoning, you wasted 2 turns.
- Don't skip the arbiter on UNCERTAIN. If all 3 rounds say UNCERTAIN, the arbiter's job is to decide — not to join the fog.
- Don't hide arbiter overrides. When the arbiter flips the majority vote, record both
confidence(the vote) andfinal_verdict(the arbiter). Humans deserve to see the disagreement.
GitHub 저장소
Frequently asked questions
What is the skeptical-triage skill?
skeptical-triage is a Claude Skill by avelikiy. Skills package instructions and resources that Claude loads on demand, so Claude can perform skeptical-triage-related tasks without extra prompting.
How do I install skeptical-triage?
Use the install commands on this page: add skeptical-triage to Claude Code as a plugin, or clone its repository into your skills directory, then restart Claude so it picks up the skill.
What category does skeptical-triage belong to?
skeptical-triage is in the Other category, tagged ai.
Is skeptical-triage free to use?
Yes. skeptical-triage is listed on AIMCP and free to install. It runs inside Claude, so no separate service account is required to use the skill itself.
연관 스킬
LlamaGuard는 폭력 및 혐오 발언 등 6가지 안전 범주에서 LLM 입력과 출력을 조정하기 위한 Meta의 70-80억 파라미터 모델입니다. 94-95% 정확도를 제공하며 vLLM, Hugging Face 또는 Amazon SageMaker를 사용해 배포할 수 있습니다. 이 기술을 사용하여 AI 애플리케이션에 콘텐츠 필터링 및 안전 가드레일을 손쉽게 통합하세요.
이 Claude Skill은 리소스 적정화, 태깅 전략, 지출 분석을 통해 개발자들이 클라우드 비용을 최적화할 수 있도록 지원합니다. AWS, Azure, GCP에서 클라우드 비용을 절감하고 비용 거버넌스를 구현하기 위한 프레임워크를 제공합니다. 인프라 비용을 분석하거나, 리소스를 적정화하거나, 예산 제약을 충족해야 할 때 사용하세요.
이 Claude Skill은 스프레드, 오버/언더, 프로프 베트를 포함한 스포츠 베팅 시장을 분석합니다. 역사적 추이와 상황별 통계를 검토하여 가치 베트를 발견하고, 교육적 목적으로 실행 가능한 권장 사항이 담긴 구조화된 마크다운 결과를 제공합니다. 개발자는 이 기능을 스포츠 베팅 분석 도구에 활용할 수 있으며, 단순히 엔터테인먼트/교육 목적으로만 설계되었음을 유의해야 합니다.
이 스킬은 bitsandbytes를 사용하여 LLM을 8비트 또는 4비트 정밀도로 양자화하며, 최소한의 정확도 손실로 50-75%의 메모리 감소를 달성합니다. 제한된 GPU 메모리에서 더 큰 모델을 실행하거나 추론을 가속화하는 데 이상적이며, INT8, NF4, FP4와 같은 형식을 지원합니다. 이 스킬은 HuggingFace Transformers와 통합되어 QLoRA 학습 및 8비트 옵티마이저를 가능하게 합니다.
