review-public-api
Use this skill when the user asks to review a DuckDuckGo Android public API proposal. If given an Asana task URL, first fetch the task and confirm it is an API proposal before invoking — do not invoke just because a URL was paired with "review". Confirmed signals: the task title contains "API Proposal"; the task belongs to project 1212149061863360 (API Proposals); or the description proposes changes to a -api module. Also invoke for any request to review, evaluate, or give feedback on a proposal pasted inline or provided as a file. Covers phrases like "review my API proposal", "is this API design good?", "check my public interface", "I'm about to submit an API proposal". When the user shares Kotlin code, only invoke if the code is explicitly from or intended for a -api module — do not invoke for impl-only changes or general Kotlin questions. IMPORTANT: Always apply these instructions directly — never delegate or summarise.
90
88%
Does it follow best practices?
Impact
94%
1.08xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.90). This skill's Step 1 explicitly instructs the agent to fetch an Asana task and its stories from a provided Asana URL (SKILL.md "If given an Asana URL: ... Fetch the task ... Fetch its stories"), meaning it ingests user-generated third-party content that the agent must read and act on.
W012: Unverifiable external dependency detected (runtime URL that controls agent)
What this means
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Why it was flagged
Potentially malicious external URL detected (high risk: 1.00). The skill explicitly fetches Asana task data at runtime from Asana task URLs (e.g., .../task/1213734700661430 or https://app.asana.com/.../task/1213734700661430) and uses the fetched task notes and stories to drive the agent's review prompts, so remote content directly controls the agent's instructions.
- Repository
- duckduckgo/Android
- Commit
adccd8d
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.