70High
The skill is vulnerable to prompt injection via unsan
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Requesting Code Review: Dispatch superpowers:code-reviewer subagent to catch issues before they cascade. The reviewer gets precisely crafted context for evaluation — never your session's history. This keeps the reviewer focused on the work product, not your thought process, and preserves your own context for continued work.
Actually does
This skill uses `git` commands (`rev-parse`, `log`) to identify specific commit SHAs representing a code change range. It then dispatches a `superpowers:code-reviewer` subagent via a `Task` tool, providing it with structured context including the identified SHAs, a description of changes, and requirements, likely sourced from a template file like `code-reviewer.md`.
Skill Info
Nameobra/superpowers/requesting-code-review
Registrygithub
Versionf9b088f7b3a6
PURLpkg:github/obra/superpowers@f9b088f7b3a6?skill=requesting-code-review
Stars180,084
Installs71,300
Source
SHA-256a5ff68586ccf...
SHA-106f8749dd837...
MD5e03a4360964f...
TLSH2d51b7a7b80a...
Size2,935 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (1)
AI Agent Traps ↗Sub-agent Dispatch with Prompt Injection Riskhighsub agent spawning
The skill dispatches a `code-reviewer` subagent and populates its prompt using placeholders. If the values for these placeholders are not properly sanitized, an attacker could inject malicious instructions into the subagent's prompt, leading to unintended actions or information disclosure by the subagent.
100% confidenceline 25
Dispatch superpowers:code-reviewer subagent
Placeholders:
- `{WHAT_WAS_IMPLEMENTED}`External Template Dependency (Supply Chain Risk)lowsupply chain
The skill relies on an external template file (`code-reviewer.md`) for configuring the subagent's behavior. Compromise or malicious modification of this template file could alter the subagent's instructions and lead to unintended or malicious actions.
100% confidenceline 34
Use Task tool with superpowers:code-reviewer type, fill template at `code-reviewer.md` See template at: requesting-code-review/code-reviewer.md
Version History (4)
Dependencies (1)
superpowers.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/requesting-code-review)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/requesting-code-review"><img src="https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/requesting-code-review.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/requesting-code-review.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow