Stats
Actions
Tags
From arboretum
Analyze AI-facing surfaces (skills, hooks, scripts, agent instruction files) for prompt-injection, instruction-hijacking, and untrusted-data-flow risk. Runs as a fresh-context driver. The AI-surface lane of the B4 review stage.
How this skill is triggered — by the user, by Claude, or both
Slash command
/arboretum:ai-surface-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze AI-facing code for prompt injection, instruction hijacking, and permission escalation risks.
Analyze AI-facing code for prompt injection, instruction hijacking, and permission escalation risks.
This skill focuses on risks that require reasoning about intent and context — not mechanical pattern matching (secrets are handled by the pre-commit hook).
This is the ai-surface lane of the B4 review stage (docs/specs/review-stage.spec.md). Mirroring the /cleanup driver pattern, the read-heavy full-file analysis runs in a fresh subagent; the main thread receives only the returned coverage manifest, never the driver's transcript. This is what keeps the stage's context cost bounded. The brief carries diff_scope, lane, the matched surface, the invariants_to_preserve (the CLAUDE.md scrub rule), and the risk categories — consume them; do not re-derive the diff.
This skill is invoked inside a generic general-purpose subagent per the fresh-context-driver idiom (docs/specs/skill-and-agent-authoring.spec.md § "Fresh-context driver dispatch"); it is not itself a registered subagent type. The dispatcher must never pass ai-surface-review as subagent_type — it invokes the skill via the Skill tool (resolved as arboretum:ai-surface-review).
Files that influence agent behavior:
.claude/skills/**, skills/** — slash skills (project-local and plugin-provided).claude/hooks/** — Claude Code hooks.githooks/** — git hooksscripts/** — automation scriptsCLAUDE.md, AGENTS.md, GEMINI.md — agent instruction filesParse $ARGUMENTS for --full. If present, scan all AI-facing files in the project. Otherwise, scan only files changed on this branch.
Detect the base branch:
source "$(git rev-parse --show-toplevel)/scripts/workspace-context.sh"
BASE="$(workspace_base_ref)" # high-frequency consumer -> no --fetch
Default mode: Get changed files and filter to AI-facing paths:
git diff "$BASE"...HEAD --name-only
Filter to files matching the scope paths above. If no AI-facing files were changed, report "No AI-facing files in diff" and exit.
Full mode (--full): Use Glob to find all files matching the scope paths, regardless of diff.
Read each in-scope file completely — not just the diff. Prompt injection often depends on surrounding context (e.g., a template that becomes dangerous when variable-substituted).
For each file, check for these risk categories:
Instruction override:
<system>, <instructions>, or similar XML-like tags that mimic system messagesHidden instructions:
<!-- -->) containing directivesRole manipulation:
Tool abuse vectors:
$USER_INPUT in a bash -c)../, ~/.claude/)Permission escalation:
settings.json or hook configuration--no-verify, --force, or similar flags in automated scriptsUntrusted-data → output sinks:
Resource exhaustion:
Sanitization-invariant preservation (refactors):
For each changed AI-facing file that introduces an external-content sink, grep for the canonical scrub regex from CLAUDE.md § "Defense in depth" (\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\x9f). Flag any new sink missing the source-side or consumer-side scrub layer. The invariant is supplied in the brief — do not re-derive it.
Format findings as:
## Security Review: [branch-name or "Full Scan"]
**Files reviewed:** N
**Findings:** N (critical: N, warning: N, info: N)
---
### [severity] [file:line] — [concern type]
**Snippet:**
> [relevant code with 2-3 lines of surrounding context]
**Analysis:** [why this is a concern, what could go wrong]
**Recommendation:** [specific action to take]
---
[repeat for each finding]
Always emit a structured manifest (validated by scripts/validate-review-manifest.sh):
{
"lane": "ai-surface",
"files_reviewed": ["<path>", "..."],
"surface_identified": "<the injection/data-flow surface found>",
"coverage": [ {"category": "<risk category>", "status": "evaluated|cleared", "why": "<one line>"} ],
"findings": [ {"severity": "critical|warning|info", "location": "<file:line>", "recommendation": "<action>"} ]
}
A clean result is findings: [] with a full coverage[] — every risk category evaluated or cleared, each with a one-line reason. Never report a bare "no findings": that makes "checked the scrub invariant + ReDoS, both safe" indistinguishable from "didn't look."
--force flags with clear justification$ARGUMENTS
npx claudepluginhub stephen-van-gaal/arboretum --plugin arboretumGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.