70High
The skill is vulnerable to prompt injection via user-
Behavior Analysis
Mismatch detected — The skill's description implies it performs the dispatch of the `superpowers:code-reviewer` subagent. However, the skill's content is purely instructional, guiding the user to manually execute `git` commands and then instructing them to use an external 'Task tool' to dispatch the subagent. The skill itself does not execute any commands to dispatch the subagent.
Claims to do
Requesting Code Review: Dispatch superpowers:code-reviewer subagent to catch issues before they cascade. The reviewer gets precisely crafted context for evaluation — never your session's history. This keeps the reviewer focused on the work product, not your thought process, and preserves your own context for continued work.
Actually does
This skill provides instructions and examples for a user to manually prepare a code review request. It guides the user to use `git` commands (`git rev-parse`, `git log`) to identify specific commit SHAs. It then instructs the user to dispatch an external `superpowers:code-reviewer` subagent via a 'Task tool', populating a template (`code-reviewer.md`) with the extracted SHAs and other contextual information.
Skill Info
Nameobra/superpowers/requesting-code-review
Registrygithub
Versiona569527b89c1
PURLpkg:github/obra/superpowers@a569527b89c1?skill=requesting-code-review
Stars180,084
Installs71,300
Source
SHA-256a5ff68586ccf...
SHA-106f8749dd837...
MD5e03a4360964f...
TLSH2d51b7a7b80a...
Size2,935 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (2)
AI Agent Traps ↗Sub-agent Prompt Injection via User Inputhighprompt injection
The skill dispatches a 'code-reviewer' subagent using a template with user-filled placeholders. Malicious input into these placeholders could lead to prompt injection against the subagent, altering its behavior or extracting sensitive information.
90% confidenceline 34
Use Task tool with superpowers:code-reviewer type, fill template at code-reviewer.md
Placeholders: {WHAT_WAS_IMPLEMENTED} ... {DESCRIPTION}Description Mismatchlowdescription mismatch
The skill's description implies it performs the dispatch of the `superpowers:code-reviewer` subagent. However, the skill's content is purely instructional, guiding the user to manually execute `git` commands and then instructing them to use an external 'Task tool' to dispatch the subagent. The skill itself does not execute any commands to dispatch the subagent.
85% confidence
Description: 'Dispatch superpowers:code-reviewer subagent...'. Actual content: '1. Get git SHAs... 2. Dispatch code-reviewer subagent: Use Task tool...'
Version History (4)
Dependencies (1)
superpowers.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/requesting-code-review)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/requesting-code-review"><img src="https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/requesting-code-review.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/requesting-code-review.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow