api-reviewer
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill is designed to perform technical auditing of API specifications. It establishes a rigorous evaluation framework with defined severity levels (P0, P1, P2) and clear exit criteria for project 'readiness'. The instructions emphasize evidence-based findings and strictly forbid the modification of contract files.
- [COMMAND_EXECUTION]: The skill references well-known industry standard tools in
references/automated-checks.mdfor automated validation, such as Spectral, Redocly, and Buf. These commands are gated by explicit instructions to only execute if the tools are already installed locally and with the user's informed consent via theAskUserQuestiontool. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it ingests untrusted external data from PRD and API contract files. However, the risk is mitigated by the following factors: 1) Ingestion points: PRD and specification files accessed via glob scanning; 2) Boundary markers: Not explicitly defined in the provided templates; 3) Capability inventory: Subprocess calls for linting and file read operations; 4) Sanitization: None explicitly described. The skill's strict reliance on evidence-based reporting and structured templates reduces the likelihood of successful indirect manipulation.
Audit Metadata