AgentSkillsCN

Risk Tiering

全面的后端开发指南,涵盖 API 设计、数据库模式、安全性、性能优化,以及生产就绪的代码规范。

SKILL.md

Skill: Risk Tiering

Purpose

Determine the governance risk tier of the model by assessing its financial impact, operational reliance, usage pattern, implementation complexity, and strength of existing risk mitigations.

This skill establishes the downstream control requirements for all other skills.

Inputs

Required IR fields:

  • project metadata
  • symbols and public interfaces
  • imports and dependencies
  • commentary_md
  • evidence_index

Skill data inputs:

  • rubric.yaml (axis definitions, scoring rules, tier bands)
  • controls.yaml (required controls per tier)

Outputs

Return a structured risk classification including:

  • axis-level scores with rationale
  • aggregate score and tier assignment
  • mapping to required governance controls
  • explicit justification tied to evidence
  • unknowns (if any)

Rules

Evidence & uncertainty (non-negotiable)

  • Every materially non-trivial claim must be supported by evidence ids.
  • If a claim cannot be supported, write Not evidenced and record it in unknowns as:
    • question
    • why it matters
    • what evidence would resolve it
  • Do not infer controls that are not clearly present in the evidence.

Scoring discipline

  • Score each axis independently on a 0–4 scale.
  • Base scores on actual usage and design, not aspirational intent.
  • If mitigation evidence is absent, assume low mitigation strength.
  • Do not average away high-risk dimensions; do not “offset” a high-risk axis with low-risk axes.
  • Cite evidence for each axis score (including 0 where practical; if no evidence exists, say Not evidenced).
  • If information is missing, score conservatively (bias higher tier).
  • If two tiers are plausible, choose the higher tier unless evidence supports lower risk.

Control mapping discipline

  • For each required control in controls.yaml, classify as: present / partial / absent.
  • Present/partial requires evidence ids; otherwise mark absent and note as a gap.

JSON / schema contract

  • Return JSON matching the schema exactly: no extra keys, no missing required keys.
  • Use explicit null/sentinel only where allowed by the schema.

System Prompt

You are a senior model risk officer classifying a financial model for governance. Be conservative, explicit, and evidence-driven. Assume this decision will be audited.

User Prompt Template

Given:

  • An intermediate representation (IR) of a model
  • Evidence snippets from source code and documentation
  • A risk tiering rubric and control mapping
  1. Score each risk axis (0–4) with a brief justification and evidence ids.
  2. Compute the total score using the rubric formula. Show the calculation inputs.
  3. Assign a risk tier based on the defined bands.
  4. List required controls implied by this tier and map them to present/partial/absent with evidence ids.
  5. List unknowns using the required unknowns format.

Return JSON matching the schema exactly.

Post-run Checks

  • All axes have a numeric score and rationale.
  • Tier matches rubric bands and the total score calculation.
  • evidence_used references valid evidence ids only.