Skill Being Reviewed
Skill name: agentic-top-10
Skill path: skills/ai-security/agentic-top-10/SKILL.md
False Positive Analysis
Benign code/configuration that can be over-flagged:
worker_agent can summarize docs; orchestrator validates signed tool result envelope before taking action
Why this is a false positive:
worker_agent can summarize docs; orchestrator validates signed tool result envelope before taking action can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
tool_result = web_fetch(url)
agent_context.append(tool_result)
# tool output can instruct the agent to call deploy_production
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
research_agent asks executor_agent to run shell command
# executor does not verify requester capability or original user approval
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
The skill covers excessive agency and trust boundaries, but tool outputs and delegated agent messages need a taint model so untrusted content cannot become instructions or inherited authority.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Prompt-injection scanners |
Partial |
Can test direct injections, less reliable for multi-hop delegation. |
| Agent framework logs |
Partial |
Useful only if identity and capability context are recorded. |
| Traditional SAST |
No |
Does not model agent/tool semantic authority. |
Overall Assessment
Strengths:
The skill has strong coverage of agent permissions, memory, and trust boundaries.
Needs improvement:
It should make taint propagation through tool outputs and delegated agent requests explicit.
Priority recommendations:
- Add a tool-output taint model with instruction/data separation checks.
- Require delegated capability verification for every agent-to-agent request.
- Require audit evidence that records requester agent, user approval scope, and resulting tool call.
Bounty Info
Skill Being Reviewed
Skill name: agentic-top-10
Skill path:
skills/ai-security/agentic-top-10/SKILL.mdFalse Positive Analysis
Benign code/configuration that can be over-flagged:
Why this is a false positive:
worker_agent can summarize docs; orchestrator validates signed tool result envelope before taking action can be safe when the missing compensating evidence is present, but the current skill does not ask reviewers to distinguish that evidence from the risky pattern. The review should require proof of the guardrail before escalating severity.
Coverage Gaps
Missed variant 1:
Why it should be caught:
This variant leaves a realistic attack path open while still satisfying the current high-level checklist language.
Missed variant 2:
Why it should be caught:
This is a common production edge case where policy exists on paper but does not bind the runtime behavior or evidence trail.
Edge Cases
The skill covers excessive agency and trust boundaries, but tool outputs and delegated agent messages need a taint model so untrusted content cannot become instructions or inherited authority.
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
The skill has strong coverage of agent permissions, memory, and trust boundaries.
Needs improvement:
It should make taint propagation through tool outputs and delegated agent requests explicit.
Priority recommendations:
Bounty Info