This skill teaches you to investigate and remediate data quality issues detected by Monte Carlo. You use MC MCP tools to understand the alert context, run root cause analysis, assess blast radius, and then execute the appropriate remediation action using whatever external tools the user has connected.
Monte Carlo tool routing (required): Always call Monte Carlo MCP tools through this plugin's bundled server, whose fully-qualified tool names are
mcp__plugin_mc-agent-toolkit_monte-carlo-mcp__<tool>(e.g.mcp__plugin_mc-agent-toolkit_monte-carlo-mcp__get_alerts). Bare tool names used in this skill (get_alerts,search,get_table, …) refer to that bundled server. If the session also has a separately-configuredmonte-carlo-mcpserver, do not route to it — it may point at a different endpoint or credentials.
Reference files live next to this skill file. Use the Read tool (not MCP resources) to access them:
references/patterns.md (relative to this file)references/tool-discovery.md (relative to this file)references/safety.md (relative to this file)Activate when the user:
Do not activate when the user is:
The Monte Carlo MCP server (monte-carlo-mcp) provides the investigation tools used in the workflows below. The workflows reference key tools by name (e.g., get_alerts, run_troubleshooting_agent, get_asset_lineage), but use any Monte Carlo tool that helps — the server has additional tools beyond what the workflows explicitly call out. Explore what's available.
Note on tool call examples: The code blocks below show key parameters to guide you. Always check the tool's own description for the complete parameter list and exact parameter names — they are authoritative.
Remediation actions are executed via whatever tools are available — MCP servers, CLI tools, or APIs. See Workflow 2 (Capability Discovery) and references/tool-discovery.md for how to detect and use them. Use whatever works; don't limit yourself to a prescribed list.
Follow these workflows in order. Each workflow builds on the context gathered by the previous one.
Goal: Understand what happened, why it happened, and what's affected.
Before proposing ANY remediation action, you MUST complete this investigation. Do not skip steps — incomplete context leads to wrong fixes.
get_alerts(
alert_ids=["<alert_id>"],
)
If the user provided a table name instead of an alert ID:
search(query="<table_name>")
→ extract MCON
get_alerts(
table_mcons=["<mcon>"],
created_after="<7 days ago>",
created_before="<now>",
order_by="-createdTime",
statuses=["NOT_ACKNOWLEDGED", "WORK_IN_PROGRESS"]
)
Extract from the alert: alert_type (Freshness, Volume, Schema Changes, etc.), severity, affected table MCONs, created_time.
alert_assessment(
incident_id="<alert_uuid>"
)
This returns incident_likelihood (HIGH/MEDIUM/LOW), alert_impact (HIGH/MEDIUM/LOW), and a summary. Use this to decide urgency:
Always use async mode. TSA analysis takes 4–8 minutes — sync mode will time out.
run_troubleshooting_agent(
incident_id="<alert_uuid>",
async_mode=true
)
While TSA runs, proceed with Steps 4–6 in parallel — gather lineage, table context, and query data while waiting. Then poll for TSA results:
get_troubleshooting_agent_results(
incident_id="<alert_uuid>"
)
Status values:
not_found → TSA hasn't been triggered yetrunning → still analyzing (wait 30s initially, then 60s intervals)success → results availablefailed → check full_response for error; proceed with manual investigationWhen TSA succeeds, read both the tldr and the verifications section. The tldr summarizes the root cause — this is your primary input for choosing a remediation action. The full_response includes a "verifications to confirm the root cause" section with specific checks (queries to run, things to compare, upstream systems to inspect). These verifications are often actionable remediation steps themselves — use them to guide what to do next or present them to the user as concrete next steps.
get_asset_lineage(
mcons=["<affected_table_mcon>"],
direction="DOWNSTREAM"
)
For BI report coverage:
get_downstream_bi_reports(
mcon="<affected_table_mcon>"
)
Then for upstream investigation:
get_asset_lineage(
mcons=["<affected_table_mcon>"],
direction="UPSTREAM"
)
Note: has_relationships=false means no dependencies tracked — do not assume missing relationships.
get_table(
mcon="<affected_table_mcon>",
include_fields=true,
include_table_capabilities=true
)
Extract: last activity timestamps, row counts, schema, monitoring status, importance score.
For key downstream tables identified in Step 4, also fetch their details:
get_table(mcon="<downstream_mcon>")
get_monitors(mcons=["<affected_table_mcon>"])
For Custom SQL or Validation alerts, also fetch the monitor configuration to understand the exact rule that breached:
get_monitors(
monitor_ids=["<monitor_id_from_alert>"],
include_fields=["config"]
)
The config contains the SQL query or validation conditions — this tells you exactly what the monitor checks, which is essential for understanding what went wrong and what the fix should be.
get_queries_for_table(
mcon="<affected_table_mcon>",
query_type="destination",
limit=10
)
Use query_type="destination" to find queries that write to this table (pipeline queries). This helps identify which pipeline or job is responsible for the data.
Wait for TSA to complete before presenting findings. Do not present partial results — the TSA root cause analysis and its verifications section are critical for choosing the right remediation action. If TSA is still running, keep polling; gather Steps 4–6 in the meantime.
After all steps are complete, synthesize your findings into a clear summary:
full_response that can confirm the root cause or serve as remediation stepsPresent this summary to the user before proceeding to remediation.
Goal: Determine what remediation actions are possible given the tools you have available.
Before attempting any remediation action, you must know what tools you can use. You have three categories to check:
mcp__*__* patterns (e.g., mcp__airflow__trigger_dag_run)gh, dbt, airflow, curl via which <tool>
curl if you have the right credentialsDon't assume any particular tool is available. But also don't assume MCP is the only option — a gh pr create via the CLI works just as well as a GitHub MCP tool.
For detailed guidance on discovery across all three categories, read references/tool-discovery.md.
After checking, summarize what's available:
Example:
"For this remediation, I can:
- ✅ Investigate via Monte Carlo (MCP connected)
- ✅ Restart the Airflow DAG (Airflow MCP connected)
- ✅ Create a code fix (
ghCLI available)- ❌ Rerun the dbt job (no dbt Cloud MCP or
dbtCLI found)"
When no tool (MCP, CLI, or API) is available for a needed action:
airflow dags trigger <dag_id>, dbt run --select <model>)create_or_update_alert_comment to record the diagnosis and recommended fixGoal: Take the appropriate action to fix the root cause, with safety rails.
Read references/patterns.md for detailed examples of common remediation patterns.
Based on the TSA root cause and available tools, determine the action:
| Root Cause Signal (from TSA) | Typical Remediation | Required Capability |
|---|---|---|
| Pipeline/DAG failure or delay | Restart the failed pipeline or task | Pipeline orchestration |
| dbt model failure | Rerun the failed dbt job | dbt operations |
| Schema change (upstream) | Assess impact, update downstream models or revert | Code changes |
| Volume anomaly (missing data) | Check upstream pipeline, trigger backfill | Pipeline orchestration + warehouse |
| Volume anomaly (duplicate data) | Identify and remove duplicates, fix pipeline | Warehouse + code changes |
| Permission/access error | Present findings, recommend user escalates to data platform team | None (user decides) |
| Infrastructure issue | Present findings, recommend user escalates to platform/ops team | None (user decides) |
| Unknown or complex root cause | Present full context and ask user for next steps | None (user decides) |
If the root cause maps to multiple possible actions, present the options to the user with tradeoffs and let them choose.
If the root cause doesn't clearly map to any pattern, read references/patterns.md for the "Unknown / complex" pattern, which focuses on presenting full context to the user and asking for direction.
BEFORE executing anything, present the plan to the user:
"Based on the investigation:
Root cause: [TSA summary] Proposed action: [what you want to do] Reasoning: [why this action addresses the root cause] Risk: [what could go wrong, blast radius] Rollback: [how to undo if the fix causes new problems]"
Before executing, read references/safety.md for the full safety protocol. The essentials:
create_or_update_alert_comment
Goal: Close out the incident properly — update status, document, and prevent recurrence.
Ask the user what status to set:
FIXED — the root cause was identified and remediatedEXPECTED — the alert fired on expected behavior (e.g., planned maintenance)NO_ACTION_NEEDED — the issue resolved itself or is not actionableThen call update_alert(alert_id="<alert_uuid>", status="<chosen_status>").
create_or_update_alert_comment(
alert_id="<alert_uuid>",
comment="## Remediation Summary\n\n**Root cause:** [TSA findings]\n**Action taken:** [what was done]\n**Result:** [outcome]\n**Remediated by:** AI agent via remediation skill\n**Timestamp:** [ISO timestamp]"
)
After remediating, briefly assess whether this issue is likely to recur:
Do not automatically create monitors or tickets — suggest them and let the user decide.
create_or_update_alert_comment.