Cross Model Review
v2.1.0Adversarial plan review using two different AI models. Supports static mode (fixed roles) and alternating mode (models swap writer/reviewer each round, fully...
⭐ 0· 686·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, CLI, templates, and scripts all implement an adversarial cross-model review loop (static and alternating modes). The included Node.js helper (scripts/review.js) manages workspaces, parsing, dedup, and verdicts — this is expected and proportionate to the skill's purpose. There are no unrelated env vars, binaries, or surprising external services requested.
Instruction Scope
SKILL.md instructs the agent to spawn reviewer/writer sub-agents (sessions_spawn) and to save/parse JSON responses; templates explicitly wrap plan content in UNTRUSTED delimiters and require structured JSON output. This stays within the review orchestration scope, but the skill necessarily transmits plan content to third‑party models and relies on instruction-level sandboxing to mitigate prompt injection. The SKILL.md acknowledges that this is a prompt-level protection (not an API-level isolation) and warns of limitations.
Install Mechanism
No install spec; skill is instruction-first and ships helper scripts and tests that run under Node.js >=18. No downloads from external URLs or package-install steps. The codebase claims zero external dependencies and uses only Node stdlib. This is a low-risk install footprint.
Credentials
The skill declares no required environment variables or credentials. It does assume the platform's sessions_spawn mechanism will provide model access (so the platform will use whatever model/provider credentials it normally has). The absence of required secrets is appropriate; however, users must not include secrets/PII in plan or codebase_context because those values will be sent to external model APIs.
Persistence & Privilege
always:false and no special privileges. The skill writes run artifacts only to a workspace directory supplied at init (user-controlled path). It does not request system-wide changes or modify other skills' configurations.
Scan Findings in Context
[prompt_injection_ignore_previous_instructions] expected: A prompt-injection-related pattern was detected in SKILL.md. This is consistent with the skill including mitigations and warnings about 'ignore previous instructions' style attacks (templates and SECURITY.md explicitly discuss prompt injection). The presence of that pattern is expected given the threat-model content, but it also highlights that reviewers will receive untrusted plan content and model-level protections rely on the model respecting instructions.
Assessment
This skill appears to do what it says: it orchestrates an adversarial review loop between two different models and includes on-disk helpers and templates. Before installing or running it, consider the following: (1) Do NOT include secrets, credentials, or PII in plan content or codebase context — those are sent to third-party model APIs. (2) Prefer static/human‑mediated mode for sensitive plans (alternating mode is fully autonomous). (3) Ensure the platform's sessions_spawn uses trusted provider credentials and that you understand where reviewer responses are sent/stored. (4) Review the included scripts (scripts/review.js) and templates yourself — they are provided and straightforward, but you should confirm workspace paths and retention policies meet your security/compliance needs. (5) If you must review sensitive or regulated plans, run this in an isolated environment or redact sensitive fields before invoking the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk974k023zt67q9fc35aqe9j0rs82a47k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.