// Reviewer criteria for AI-generated code via with_review. Checks for security issues (injection, auth bypass, secret leakage), correctness, and project conventions. Use as criteria.skill when generating code that touches data, auth, or external systems.
| name | review-code-security |
| description | Reviewer criteria for AI-generated code via with_review. Checks for security issues (injection, auth bypass, secret leakage), correctness, and project conventions. Use as criteria.skill when generating code that touches data, auth, or external systems. |
Review the worker's code draft against security + correctness checks. Strict: when in doubt, REVISE rather than APPROVE.
No SQL injection vectors:
sql.unsafe() without param array: REVISENo secret leakage:
Auth checks present:
c.get('userId')
or equivalentNo prototype pollution:
Object.assign(target, untrustedInput) where target is shared
state: REVISENo SSRF:
fetch(userProvidedUrl) without scheme/host validation: REVISEError handling at boundaries:
No silent failures:
Project conventions:
@/server/... not relative ../../../userId into the query string — switch to
eq(table.userId, userId)"VERDICT: APPROVE — auth check + parameterised query + error handling all present
VERDICT: REVISE — line 18 logs the full request body which contains the API key in headers
VERDICT: REJECT — uses raw SQL string concat for the user-supplied filter; multiple injection vectors
Day-of-week rotating proactive sweep — Mon=connections / Tue=routines / Wed=skills / Thu=memories / Fri=findings / Sat=cross-cutting / Sun=weekly summary. Forces outward scan instead of inward thrash. Routine-only; load this skill into a daily routine that fires AssistantAgent. Adapted from goanna's caretaker.
Use when an agent has had N consecutive quiet runs with nothing to do. Pivots to bounded inward consolidation (promote findings, refresh memory, audit asks) anchored in own data — NOT generic news summarisation. Adapted from goanna's reverie cycle. Routine-only; loaded by the routine that detects the quiet condition.
Use to track open questions you owe the user (asks) and time-bounded commitments you owe yourself (tasks). Write OPEN entries when you commit; promote to CLOSED when answered/done. Survives session compaction. Adapted from goanna's asks.md/tasks.md pattern.
Reviewer criteria for outbound email drafts via with_review. Checks tone-recipient match, professionalism, no AI tells, no placeholder leakage. Use as criteria.skill argument when reviewing email drafts before send.
Reviewer criteria for AI-generated summaries via with_review. Checks faithfulness to source, no hallucinated facts, appropriate length, key points preserved. Use as criteria.skill when summarising articles, documents, transcripts, or batch-task outputs.
Default reviewer criteria for the with_review tool. Generic quality bar — accuracy, intent-match, no hallucinations, clarity. Use as the criteria.skill argument when calling with_review without a domain-specific reviewer skill.