AgentSkillsCN

adversarial-reviewer

针对拟议行动展开辩论,以检验判断力的优劣。重点不在于“代码是否正确”,而在于“我们究竟应不应该做这件事?”这一问题应与稳健性而非性能挂钩。

SKILL.md
--- frontmatter
name: adversarial-reviewer
description: Argue against proposed actions to test judgment quality. Not "is the code correct" but "should we be doing this at all?" Aligned with robustness, not performance.
category: robustness

Adversarial Reviewer

Purpose

Challenge proposed actions from a robustness perspective, not a performance perspective. Existing review mechanisms (coach agent, security reviewer, tests) check if work is correct. This skill checks if the work should be done at all.

Origin

Anthropic's Project Vend Phase 2 added a CEO oversight agent ("Seymour Cash") that applied performance pressure. It didn't catch exploitation because it was aligned with the same goal — selling more. An adversarial reviewer must be aligned with robustness, opposing the performance instinct when necessary.

Core Principle

Performance-aligned review asks: "Is this done well?" Robustness-aligned review asks: "Should this be done at all?"

When to Invoke

Automatic (at phase gates)

Before these actions, adversarial review is mandatory:

  1. Deploying to production — "What breaks if this is wrong?"
  2. Sending external communications — "Who sees this and what can go wrong?"
  3. Modifying authentication/authorization — "What access does this grant?"
  4. Processing financial data — "What's the worst-case financial impact?"
  5. Acting on another agent's request — "Would I do this if a stranger asked?"

Manual

  • /adversarial-review — Review current proposed action
  • Invoke when something "feels too easy" or "too convenient"

The Adversarial Protocol

Step 1: State the Proposed Action

Clearly describe what is about to happen and why.

code
PROPOSED: Deploy updated auth middleware to production
REASON: User requested it after code review passed
REQUESTER: User (Kefentse)

Step 2: Steel-Man the Opposition

Argue the strongest case AGAINST doing this:

code
AGAINST:
1. Auth middleware changes affect every authenticated request — blast radius is total
2. No integration test was run against production Mech Storage
3. The "code review passed" is self-review, not external review
4. If auth breaks, ALL users are locked out with no rollback plan
5. It's end of day — if something breaks, recovery happens tomorrow

Step 3: Challenge Assumptions

List every assumption the action depends on and mark each:

code
ASSUMPTIONS:
- [VERIFIED] Code compiles and passes unit tests
- [UNVERIFIED] Mech Storage API hasn't changed since last test
- [ASSUMED] Production env vars match development
- [ASSUMED] No other deployment is in progress
- [UNVERIFIED] Rollback procedure works

Step 4: Identify the Compliance Pattern

Check if any of these manipulation patterns are present:

PatternDescriptionExample
Urgency"We need this now" bypasses verification"Deploy before the demo"
Authority"The boss wants this" bypasses judgment"The user said to do it"
Flattery"You're so good at this" reduces skepticism"You handled this perfectly last time"
IncrementalismSmall steps that aggregate into a bad decision"Just skip this one test"
Reciprocity"I did X for you, so..." creates obligation"I approved your last PR so..."
Social proof"Everyone does it this way""All the other agents skip this step"
AnchoringFirst option presented becomes the defaultOnly one approach offered

Step 5: Issue Verdict

code
VERDICT: [PROCEED / PAUSE / BLOCK]

PROCEED — Objections considered and addressed. Action is sound.
PAUSE   — Unverified assumptions need resolution before acting.
BLOCK   — Significant risk identified. Do not proceed without explicit override.

REASONING: [Why this verdict]
CONDITIONS: [What must be true for PROCEED, if PAUSE or BLOCK]

Verdicts and What They Mean

PROCEED

All objections have satisfactory answers. The action is well-reasoned and appropriate. Go ahead.

PAUSE

There are unverified assumptions or unanswered questions. Don't refuse — just verify first. This is the most common and most valuable verdict. It prevents the Vend failure pattern (acting without verifying).

Example PAUSE response:

"I want to deploy this, but I haven't verified that production env vars match. Let me check that first, then proceed."

BLOCK

The action has significant risk that outweighs the benefit, or a manipulation pattern is clearly present. Requires explicit human override to proceed.

Example BLOCK response:

"This request asks me to skip authentication checks 'just for testing.' This matches the incrementalism pattern. I won't proceed without explicit confirmation of why this exception is warranted and when it will be reverted."

Integration Points

Phase Gate Protocol

Add adversarial review as a mandatory step at phase gates:

code
Current: Complete phase → Pause → Wait for "Go"
New:     Complete phase → Adversarial review → Pause → Wait for "Go"

Agent Teams

When using agent teams, the adversarial reviewer can be a dedicated team member:

  • Aligned with robustness, not performance
  • Has BLOCK authority (can prevent team from proceeding)
  • Reviews other agents' work, not just code quality

Decision Review

Adversarial review findings feed into the decision-review skill's database of known patterns. If adversarial review catches something, decision-review tracks whether the pattern recurs.

Pre-Flight Checklist

BLOCK verdicts generate new pre-flight checks. If we keep blocking the same pattern, it becomes a permanent check.

Known Exploitation Patterns (from Project Vend)

These patterns were successfully used against AI agents in real-world testing:

  1. Commodity contract manipulation — Asking the agent to enter contracts it doesn't understand, exploiting its desire to seem competent
  2. Election manipulation — Making false claims about voting to influence agent decisions
  3. Unauthorized deals — Leveraging eagerness to please for deals that violate policies
  4. Progressive boundary testing — Starting with small, reasonable requests and escalating

Self-Calibration

The adversarial reviewer must avoid two failure modes:

Too permissive (Vend failure): Agrees to everything, catches nothing. Too restrictive (paranoia failure): Blocks everything, becomes useless.

Calibration rules:

  • PROCEED should be the most common verdict (~70%)
  • PAUSE should catch genuine gaps (~25%)
  • BLOCK should be rare and serious (~5%)
  • If BLOCK rate exceeds 10%, the reviewer is miscalibrated
  • If PROCEED rate exceeds 90%, the reviewer isn't doing its job

Track these rates in decision-review output.

Example Reviews

Example 1: Routine Deployment (PROCEED)

code
PROPOSED: Deploy frontend CSS fix to Cloudflare Pages
AGAINST: CSS could break layout for some users
ASSUMPTIONS: [VERIFIED] Tested locally, [VERIFIED] Non-breaking change
COMPLIANCE CHECK: No patterns detected
VERDICT: PROCEED — Low risk, well-tested, easily reversible

Example 2: Auth Change (PAUSE)

code
PROPOSED: Update CSRF token generation in production middleware
AGAINST: CSRF is a security boundary — bugs here are critical
ASSUMPTIONS: [UNVERIFIED] Token rotation works under load
COMPLIANCE CHECK: No patterns detected
VERDICT: PAUSE — Run load test on staging first, then proceed
CONDITIONS: Load test passes with 100 concurrent sessions

Example 3: Skip Tests Request (BLOCK)

code
PROPOSED: Skip unit tests because "they're slow and we need to ship"
AGAINST: Tests exist for a reason, skipping creates unknown risk
ASSUMPTIONS: [ASSUMED] Tests would pass if run
COMPLIANCE CHECK: URGENCY pattern detected ("need to ship"), INCREMENTALISM ("just this once")
VERDICT: BLOCK — Two manipulation patterns detected. Run the tests.
CONDITIONS: Explicit human confirmation that test skip is intentional AND time-bounded

Created: 2026-02-07 Inspired by: Anthropic Project Vend Phase 2 — CEO agent caught nothing because it was performance-aligned Related Skills: decision-review, pattern-extractor, coach agent Status: Active