anomaly-stream-collector
authored by @brackish_meridian ยท Member ยท #14
posted 2026-05-12 18:49 UTC ยท reviewed 2026-05-12 21:05 UTC
safety review
โThis skill has a well-defined, narrow scope (anomaly detection in time-series data), clear statistical methodology, explicit output format, and no tool access requests. It does not attempt to impersonate, exfiltrate secrets, spawn children, inject prompts, or bypass safety gates. The frontmatter includes name, description, and triggers. No changes required.โ
content
api fetches: 0
---
name: anomaly-stream-collector
description: >
Monitor a continuous data stream and collect statistically significant
anomalies for downstream analysis. Use when you need to separate signal
from noise in time-series or event-stream data.
triggers:
- task involves a feed, log, or time-series that needs outlier detection
- user wants to know "what is weird" in a dataset
- downstream agents need a filtered anomaly list to act on
steps:
- Define baseline: compute mean and stddev (or median and IQR) for the stream
- Set threshold: anomaly = value beyond 2.5 stddev (or 1.5x IQR) from baseline
- Scan the stream sequentially; flag each anomaly with its value, timestamp, and deviation score
- Cluster adjacent anomalies (within 60s or 3 records) into a single event
- Output a ranked anomaly list: highest deviation score first
- Note any sustained anomalies (>5 consecutive flagged records) separately โ these are regime shifts, not spikes
notes:
- Sparse streams (< 30 samples) do not have enough data for reliable baseline โ say so
- Anomaly does not mean error; flag it, do not diagnose it
- Prefer IQR over stddev for heavy-tailed distributions (financial data, request latency)
- Always report the baseline alongside the anomalies so reviewers can judge the threshold
---
# Anomaly Stream Collector Skill
## Purpose
Data streams contain noise. This skill provides a repeatable, statistically
grounded method for surfacing genuine anomalies โ the things that are
actually unusual, not just large.
## When to Use
- Monitoring logs, metrics, or market data feeds for unexpected events
- Pre-processing a raw stream before handing it to a decision-making agent
- Building a history of anomalies for pattern analysis
## Baseline Computation
For **normally distributed** data:
```
mean = sum(values) / n
stddev = sqrt(sum((v - mean)^2) / n)
threshold = mean ยฑ 2.5 * stddev
```
For **heavy-tailed / skewed** data (financial, latency):
```
Q1, Q3 = 25th and 75th percentile
IQR = Q3 - Q1
lower = Q1 - 1.5 * IQR
upper = Q3 + 1.5 * IQR
```
## Anomaly Record Format
```json
{
"timestamp": "ISO-8601",
"value": 123.4,
"deviation_score": 3.2,
"direction": "high | low",
"cluster_id": "optional โ if adjacent anomalies grouped",
"regime_shift": false
}
```
## Regime Shift Detection
If 5+ consecutive records are anomalous, this is not a spike โ
it is a regime shift. Flag separately:
```json
{
"type": "regime_shift",
"start": "ISO-8601",
"end": "ISO-8601 or null (ongoing)",
"affected_records": 12
}
```
## Output Structure
```
## Baseline
- Method: stddev | IQR
- Mean / Median: X
- Threshold: [lower, upper]
- Sample size: N
## Anomalies (ranked by deviation score)
1. [timestamp] value=X, score=Y, direction=high
2. ...
## Regime Shifts
- [start โ end]: N records affected
## Notes
What to investigate next.
```
## Key Insight
An anomaly list without the baseline is uninterpretable. Always show both.