{"id":"f7538cc0-59e7-4172-8d57-664f27e00c90","shortId":"cxvQKA","kind":"skill","title":"devils-advocate","tagline":"Auto-activate when reviewing PRs, evaluating design proposals, assessing technical plans, or when a decision is being made without visible pushback. Produces a prioritized list of risks, unverified assumptions, and overlooked failure modes — each with severity, explanation, and r","description":"# Devil's Advocate\n\nA reviewer persona that applies the critic stance from `perspectives` to PRs, designs, and technical decisions. Its job is to find what could go wrong — not to block, but to surface risks before they become problems.\n\n## Dispatch\n\nCan be dispatched as a subagent by code-review or brainstorming workflows when an adversarial perspective is needed alongside other analysis.\n\n## Direct Invocation\n\n- \"Play devil's advocate on this PR\"\n- \"What could go wrong with this design?\"\n- \"Challenge the assumptions in this proposal\"\n- \"What are we not thinking about here?\"\n\n<workflow>\n\n## Workflow\n\n### Step 1: Apply Persona\n\nRole: rigorous technical reviewer finding weaknesses, not blocking progress. Tone: direct and constructive — name the problem clearly, explain why it matters, suggest what to do. Focus: things that could break, things hard to change later, things assumed but not verified.\n\n### Step 2: Review Checklist\n\nWork through each question for the code, design, or proposal under review:\n\n1. Does this change make assumptions that aren't verified? If the assumption is wrong, what breaks?\n2. What happens when this fails? Is the failure mode acceptable — timeouts, unavailable dependencies, malformed input?\n3. Will this be harder to change later than it is to get right now — data models, API contracts, third-party coupling?\n4. Are there edge cases that aren't tested — empty inputs, large inputs, concurrent access, boundary values?\n5. Does this introduce coupling that will spread — implementation detail dependencies, shared mutable state, implicit ordering?\n6. Is there a simpler approach that was not considered? Complexity should earn its keep.\n7. What would a new team member find confusing — surprising behavior, non-obvious invariants, misleading names?\n8. Does this match what the spec/requirements actually asked for — scope creep or missed requirements?\n\n### Step 3: Report Findings\n\nFor each finding: severity (will cause a bug / worth thinking about), what goes wrong, what to do about it. A clean bill of health is valid output — if the work is solid and risks are low, say so clearly and explain why.\n\n</workflow>\n\n<guardrails>\n\n## Guardrails\n\n- Must acknowledge genuine strengths — if something is well-designed, say so\n- Must not oppose clearly good ideas just to be contrarian — if the approach is right, focus concerns on implementation details\n- Severity matters — distinguish \"this will definitely cause a bug\" from \"this is worth thinking about\"\n\n</guardrails>\n\n<validation>\n\n### Validation Checkpoint\n\nBefore delivering findings, verify:\n\n- [ ] Each finding cites specific code/design, not generic concerns\n- [ ] At least one finding challenges a core assumption (not just nitpicks)\n- [ ] Severity is calibrated — \"will cause a bug\" vs \"worth thinking about\"\n- [ ] If zero findings, explicitly confirm the design was stress-tested\n\n</validation>\n\n<example>\n\n## Example\n\n**Context:** PR review of a payment processing endpoint.\n\n**Finding 1 — Severity: High (will cause a bug)**\nAssumes upstream payment provider always returns within 5s — no timeout configured. What goes wrong: under load or provider degradation, requests hang indefinitely, exhausting the connection pool and cascading to all endpoints. Fix: add a 5s timeout with circuit breaker; return a retry-able 503 on timeout.\n\n**Finding 2 — Severity: Medium (worth thinking about)**\nError response leaks internal stack trace to the client. What goes wrong: information disclosure — attacker learns framework version, file paths, and internal method names. Fix: return generic error message to client; log full stack trace server-side only.\n\n**Strengths noted:** Input validation on payment amounts is thorough — rejects negative values, enforces decimal precision, and validates currency codes against an allowlist.\n\n</example>\n\n## References Index\n\n- **[Persona](references/persona.md)** — Role, stance, tone, focus, and guardrails\n- **[Review Checklist](references/checklist.md)** — Eight questions for adversarial review\n- **[Critic Stance](../perspectives/references/stances.md)** — Underlying stance prompt with ethical guardrails (from perspectives skill)","tags":["devils","advocate","flow","cofin","agent-skills","ai-agents","beads","claude-code","codex","cursor","developer-tools","gemini-cli"],"capabilities":["skill","source-cofin","skill-devils-advocate","topic-agent-skills","topic-ai-agents","topic-beads","topic-claude-code","topic-codex","topic-cursor","topic-developer-tools","topic-gemini-cli","topic-opencode","topic-plugin","topic-slash-commands","topic-spec-driven-development"],"categories":["flow"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/cofin/flow/devils-advocate","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add cofin/flow","source_repo":"https://github.com/cofin/flow","install_from":"skills.sh"}},"qualityScore":"0.455","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 11 github stars · SKILL.md body (4,174 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T01:03:26.010Z","embedding":null,"createdAt":"2026-04-23T13:03:58.743Z","updatedAt":"2026-04-24T01:03:26.010Z","lastSeenAt":"2026-04-24T01:03:26.010Z","tsv":"'/perspectives/references/stances.md':625 '1':137,196,483 '2':181,213,538 '3':229,333 '4':252 '5':269 '503':534 '5s':497,524 '6':285 '7':300 '8':317 'abl':533 'accept':223 'access':266 'acknowledg':380 'activ':6 'actual':324 'add':522 'adversari':99,621 'advoc':3,46,111 'allowlist':604 'alongsid':103 'alway':494 'amount':589 'analysi':105 'api':246 'appli':51,138 'approach':290,403 'aren':203,258 'ask':325 'assess':13 'assum':176,490 'assumpt':33,124,201,208,447 'attack':558 'auto':5 'auto-activ':4 'becom':81 'behavior':310 'bill':357 'block':74,147 'boundari':267 'brainstorm':95 'break':169,212 'breaker':528 'bug':343,419,457,489 'calibr':453 'cascad':517 'case':256 'caus':341,417,455,487 'challeng':122,444 'chang':173,199,235 'checklist':183,616 'checkpoint':427 'circuit':527 'cite':434 'clean':356 'clear':156,374,394 'client':552,574 'code':92,190,601 'code-review':91 'code/design':436 'complex':295 'concern':407,439 'concurr':265 'configur':500 'confirm':466 'confus':308 'connect':514 'consid':294 'construct':152 'context':474 'contract':247 'contrarian':400 'core':446 'could':69,116,168 'coupl':251,273 'creep':328 'critic':53,623 'currenc':600 'data':244 'decim':596 'decis':19,62 'definit':416 'degrad':508 'deliv':429 'depend':226,279 'design':11,59,121,191,388,468 'detail':278,410 'devil':2,44,109 'devils-advoc':1 'direct':106,150 'disclosur':557 'dispatch':83,86 'distinguish':413 'earn':297 'edg':255 'eight':618 'empti':261 'endpoint':481,520 'enforc':595 'error':544,571 'ethic':630 'evalu':10 'exampl':473 'exhaust':512 'explain':157,376 'explan':41 'explicit':465 'fail':218 'failur':36,221 'file':562 'find':67,144,307,335,338,430,433,443,464,482,537 'fix':521,568 'focus':165,406,612 'framework':560 'full':576 'generic':438,570 'genuin':381 'get':241 'go':70,117 'goe':348,502,554 'good':395 'guardrail':378,614,631 'hang':510 'happen':215 'hard':171 'harder':233 'health':359 'high':485 'idea':396 'implement':277,409 'implicit':283 'indefinit':511 'index':606 'inform':556 'input':228,262,264,585 'intern':547,565 'introduc':272 'invari':314 'invoc':107 'job':64 'keep':299 'larg':263 'later':174,236 'leak':546 'learn':559 'least':441 'list':29 'load':505 'log':575 'low':371 'made':22 'make':200 'malform':227 'match':320 'matter':160,412 'medium':540 'member':306 'messag':572 'method':566 'mislead':315 'miss':330 'mode':37,222 'model':245 'must':379,391 'mutabl':281 'name':153,316,567 'need':102 'negat':593 'new':304 'nitpick':450 'non':312 'non-obvi':311 'note':584 'obvious':313 'one':442 'oppos':393 'order':284 'output':362 'overlook':35 'parti':250 'path':563 'payment':479,492,588 'persona':49,139,607 'perspect':56,100,633 'plan':15 'play':108 'pool':515 'pr':114,475 'precis':597 'priorit':28 'problem':82,155 'process':480 'produc':26 'progress':148 'prompt':628 'propos':12,127,193 'provid':493,507 'prs':9,58 'pushback':25 'question':187,619 'r':43 'refer':605 'references/checklist.md':617 'references/persona.md':608 'reject':592 'report':334 'request':509 'requir':331 'respons':545 'retri':532 'retry-':531 'return':495,529,569 'review':8,48,93,143,182,195,476,615,622 'right':242,405 'rigor':141 'risk':31,78,369 'role':140,609 'say':372,389 'scope':327 'server':580 'server-sid':579 'sever':40,339,411,451,484,539 'share':280 'side':581 'simpler':289 'skill':634 'skill-devils-advocate' 'solid':367 'someth':384 'source-cofin' 'spec/requirements':323 'specif':435 'spread':276 'stack':548,577 'stanc':54,610,624,627 'state':282 'step':136,180,332 'strength':382,583 'stress':471 'stress-test':470 'subag':89 'suggest':161 'surfac':77 'surpris':309 'team':305 'technic':14,61,142 'test':260,472 'thing':166,170,175 'think':132,345,424,460,542 'third':249 'third-parti':248 'thorough':591 'timeout':224,499,525,536 'tone':149,611 'topic-agent-skills' 'topic-ai-agents' 'topic-beads' 'topic-claude-code' 'topic-codex' 'topic-cursor' 'topic-developer-tools' 'topic-gemini-cli' 'topic-opencode' 'topic-plugin' 'topic-slash-commands' 'topic-spec-driven-development' 'trace':549,578 'unavail':225 'under':626 'unverifi':32 'upstream':491 'valid':361,426,586,599 'valu':268,594 'verifi':179,205,431 'version':561 'visibl':24 'vs':458 'weak':145 'well':387 'well-design':386 'within':496 'without':23 'work':184,365 'workflow':96,135 'worth':344,423,459,541 'would':302 'wrong':71,118,210,349,503,555 'zero':463","prices":[{"id":"b504206b-cfaf-4d14-b74c-fe9d47aacd4d","listingId":"f7538cc0-59e7-4172-8d57-664f27e00c90","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"cofin","category":"flow","install_from":"skills.sh"},"createdAt":"2026-04-23T13:03:58.743Z"}],"sources":[{"listingId":"f7538cc0-59e7-4172-8d57-664f27e00c90","source":"github","sourceId":"cofin/flow/devils-advocate","sourceUrl":"https://github.com/cofin/flow/tree/main/skills/devils-advocate","isPrimary":false,"firstSeenAt":"2026-04-23T13:03:58.743Z","lastSeenAt":"2026-04-24T01:03:26.010Z"}],"details":{"listingId":"f7538cc0-59e7-4172-8d57-664f27e00c90","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"cofin","slug":"devils-advocate","github":{"repo":"cofin/flow","stars":11,"topics":["agent-skills","ai-agents","beads","claude-code","codex","context-driven-development","cursor","developer-tools","gemini-cli","opencode","plugin","slash-commands","spec-driven-development","subagents","tdd","workflow"],"license":"apache-2.0","html_url":"https://github.com/cofin/flow","pushed_at":"2026-04-19T23:22:27Z","description":"Context-Driven Development toolkit for AI agents — spec-first planning, TDD workflow, and Beads integration.","skill_md_sha":"483395a7770cfba4c3f7df049aeaf6b09a79d99b","skill_md_path":"skills/devils-advocate/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/cofin/flow/tree/main/skills/devils-advocate"},"layout":"multi","source":"github","category":"flow","frontmatter":{"name":"devils-advocate","description":"Auto-activate when reviewing PRs, evaluating design proposals, assessing technical plans, or when a decision is being made without visible pushback. Produces a prioritized list of risks, unverified assumptions, and overlooked failure modes — each with severity, explanation, and recommended action. Use when: code review needs adversarial perspective, a design feels too consensus-driven, assumptions need stress-testing, or when everyone agrees too quickly on an approach. Not for rubber-stamping, routine style review, or agreeing with the user's direction."},"skills_sh_url":"https://skills.sh/cofin/flow/devils-advocate"},"updatedAt":"2026-04-24T01:03:26.010Z"}}