agent-safety-review
Use when a design or implementation involves autonomous agents, unattended/background operation, private-data access combined with external/untrusted input, or outbound actions (sending data, posting, pushing, API calls) — the lethal-trifecta risk
Best use case
agent-safety-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when a design or implementation involves autonomous agents, unattended/background operation, private-data access combined with external/untrusted input, or outbound actions (sending data, posting, pushing, API calls) — the lethal-trifecta risk
Teams using agent-safety-review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/agent-safety-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How agent-safety-review Compares
| Feature / Agent | agent-safety-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when a design or implementation involves autonomous agents, unattended/background operation, private-data access combined with external/untrusted input, or outbound actions (sending data, posting, pushing, API calls) — the lethal-trifecta risk
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
SKILL.md Source
# Agent Safety Review Architectural risk assessment for designs and implementations that involve autonomous agent behavior. Separate from security-scanner (which runs deterministic static analysis). ## When to Use During DESIGN phase when the prompt involves autonomous agents, unattended operation, private data processing with external input, or outbound actions. Also co-selects during REVIEW phase when autonomy-related triggers match alongside requesting-code-review. ## Step 1: Assess the Three Fields For the proposed design or implementation, evaluate each field: | Field | Question | Examples | |-------|----------|----------| | `private_data` | Does the agent access information that should not be shared with all parties? | User email, credentials, internal logs, PII, private repos, API keys, session tokens | | `untrusted_input` | Can an external party inject instructions the agent will process? | Email content, web pages, user-uploaded files, API responses from third parties, webhook payloads | | `outbound_action` | Can the agent send data or take actions visible outside its sandbox? | Sending emails, posting to Slack, pushing to git, making API calls, writing to shared filesystems, creating PRs | For each field, state: - **Present** — with specific evidence from the design - **Absent** — with explanation of why - **Unknown** — flag for further investigation ## Step 2: Classify Risk | Fields present | Classification | Action | |---------------|----------------|--------| | All 3 | **Lethal trifecta** — High risk | Require mitigation before proceeding | | 2 of 3 | **Elevated risk** | Note which leg is missing. Recommend not adding the third without mitigation. | | 0-1 | **Standard risk** | No special action required | ## Step 3: Recommend Mitigation (if lethal trifecta) The primary mitigation is **blast-radius control** — cutting at least one leg of the trifecta. Improved detection scores are NOT proof of safety. **Cut private_data:** - Isolate the agent to a sandbox with no access to sensitive data - Use synthetic/test data instead of production data - Limit access to only the specific data needed, not broad access **Cut untrusted_input:** - Pre-filter or sanitize external input before the agent processes it - Use a quarantine boundary: a read-only agent processes untrusted content, extracts structured data, passes only the structured output to the privileged agent - Restrict input sources to trusted parties only **Cut outbound_action:** - Make the agent read-only — it can analyze but not act - Require human-in-the-loop approval for all outbound actions - Use a narrowly scoped HITL: auto-approve low-risk actions, require approval for high-risk ones (sending data externally, deleting resources, creating public artifacts) ## Step 4: Produce Risk Assessment Output a structured assessment: ``` ## Agent Safety Assessment **Design:** <what is being evaluated> **Date:** YYYY-MM-DD ### Risk Fields | Field | Status | Evidence | |-------|--------|----------| | private_data | Present/Absent/Unknown | <specific evidence> | | untrusted_input | Present/Absent/Unknown | <specific evidence> | | outbound_action | Present/Absent/Unknown | <specific evidence> | ### Classification **Risk level:** Lethal trifecta / Elevated / Standard ### Mitigation (if required) **Recommended approach:** <which leg to cut and how> **Trade-off:** <what capability is reduced by the mitigation> **Residual risk:** <what remains after mitigation> ``` ## Constraints - This is an architectural review, not a pass/fail gate. The user decides whether to accept the risk. - Do NOT claim that improved prompt-injection detection scores solve the problem. 97% detection is a failing grade when the 3% leaks private data. - Do NOT merge this analysis into security-scanner output. Keep architectural risk separate from deterministic code scanning. - The skill produces an assessment, not a veto. The goal is informed decision-making. - When the design is an AI/LLM or agent feature, the safety eval cases (injection, escalation, refusal, safety-routing-suppression) MUST be authored and failing (red) **before the behavior is implemented** — compose with `test-driven-development`. Detection added after the behavior exists is not a substitute: a feature that has never failed its safety cases has never been shown to pass them.
Related Skills
outcome-review
Use when reviewing a shipped feature's real-world outcome in the LEARN phase — checking adoption, error, or experiment metrics after release, validating ship-time hypotheses, or deciding follow-up work — querying PostHog and creating gated follow-up Jira work
agent-team-review
Use when a code change touches 5+ files or modifies auth/secrets/permissions/hooks/CI paths and needs multi-lens parallel review (security, quality, spec, governance) before merge.
unified-context-stack
Tiered context retrieval across External Truth (docs), Internal Truth (dependencies), Historical Truth (memory), and Intent Truth (feature specs) with graceful degradation based on installed tools.
supply-chain-investigation
Use when investigating a published supply-chain attack on a registry package (npm, Maven, PyPI, Go, Gradle) — advisory-driven org-wide audit. Triggers on attack-language ("compromised", "malicious", "hijacked", "backdoored", "typosquatted"). NOT for routine CVE scanning — that routes to security-scanner.
skill-scaffold
Emit repo-native seed files (SKILL.md skeleton, routing entry, test snippets) when creating new skills, commands, or plugins
security-scanner
Use when reviewing code changes for security issues — during REVIEW phase or on explicit security, vulnerability, SAST, or secret-scan requests — running available Semgrep/Opengrep, Trivy, and Gitleaks scanners with a self-healing fix loop
runtime-validation
Use when you need to prove a change actually works through its real interfaces — during REVIEW or on requests like validate the feature, does it work, run e2e, or smoke test — covering browser E2E, API smoke, CLI checks, and a11y audits with graceful tool-degradation
prototype-lab
Produce 3 thin comparable variants of a proposed design with a comparison artifact and mandatory Human Validation Plan
project-verification
Use when you need to run the repo's own declared test/lint/type gate locally and emit pass/fail evidence — during REVIEW, before requesting code review, or on a request to run the tests or verify the build — discovering the gate from CLAUDE.md, Makefile, pyproject, or .verify.yml
product-discovery
Use when starting a new feature or initiative and you need problem context, prior art, and acceptance criteria before design — the DISCOVER phase entry point — pulling Jira/Confluence context and synthesizing a discovery brief to validate problem framing
openspec-ship
Use when shipping a completed feature and generating as-built OpenSpec docs before branch finalization
incident-trend-analyzer
On-demand postmortem trend analysis — recurrence grouping, trigger categorization, MTTR/MTTD from canonical docs/postmortems/ corpus