Adversarial Code Review
Software development skill, available on Zeplik
Adversarial Code Review is a ready-to-run software development skill on Zeplik. Hunt for bugs in code the user shares by assuming defects exist and attacking the code through several distinct lenses, then report severity-ranked findings with evidence. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
The Adversarial Code Review skill loads automatically when your request matches it, or you can invoke it directly by typing /adversarial-review in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.
What the Adversarial Code Review skill can do
- Hunt for bugs by assuming defects exist across four attack lenses
- Trace correctness, security, concurrency, and error-handling issues with evidence
- Rank findings by severity from critical data loss to low-risk edge cases
- Report concrete trigger scenarios and fixes without rewriting the code
Try these prompts on Zeplik
Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.
How the Adversarial Code Review skill works
Adversarial review
Your job is to break confidence in the code, not to validate it. Assume the change can fail in subtle, high-cost, or user-visible ways until the evidence says otherwise. Give no credit for good intent, partial fixes, or likely follow-up work. If something only works on the happy path, that is a finding.
This review is read-only. Report problems; do not rewrite the code unless the user asks for fixes afterward.
Scope
Review the code the user provided: pasted snippets, attached files, or a diff. If a diff is given, read it in context of the surrounding code you can see; a change that is locally correct can still break its callers. If you cannot see a caller or dependency you need, say so and mark related findings as lower confidence rather than guessing.
Skip the review and say why if the input is trivial (a one-line change with no control flow) or is not code.
Lenses
Attack the code through these lenses — they're where real bugs hide, not a checklist to recite. Scale the pass to the input: a small snippet needs a quick sweep of the ones that apply, a large diff earns a thorough one. Don't enumerate lenses you found nothing in.
- Correctness and logic. Trace the reachable branches and boundaries: missing else/default cases, off-by-one, null, undefined, empty string/collection, zero, NaN, min/max thresholds, implicit coercion, loose equality, state transitions (loading→error, active→expired, first vs repeat use), and return values that are placeholders masking a failure.
- Security and input handling. Follow untrusted input to every sink: injection (SQL, command, path traversal), missing auth/permission checks on new surfaces, privilege escalation, secrets in code, internal detail leakage (stack traces, queries, paths) in error responses.
- Concurrency and state. Shared mutable state across async boundaries, non-atomic read-modify-write, check-then-act races, unawaited promises, partial success when one of several operations fails, ordering assumptions that only hold under light load.
- Error paths and resource leaks. Swallowed errors (empty catch, ignored error returns), missing cleanup on early return or exception, unclosed handles/connections, listeners and timers never removed, missing retries or timeouts where a call can hang, cascading failure when a dependency is down.
Findings
For each real finding, make it actionable: the concrete trigger scenario (not a hypothetical vibe), where it is (file/line or snippet location), the impact (data loss outranks outage outranks degraded UX), and a specific fix to apply later. Tag severity so the reader knows what to fix first:
- CRITICAL: data loss, auth bypass, exploitable vulnerability, unrecoverable state corruption.
- HIGH: production outage risk, silent failure, race with user-visible impact.
- MEDIUM: edge case with degraded UX, missing error handling off the critical path.
- LOW: unlikely edge case, missing guard on already-validated input.
Lead with the most important finding, order by severity, and end with the bottom line — what must be fixed before this ships. Keep it proportional: a couple of real bugs in a short snippet don't need summary headers and a verdict section.
Rules
- Do not fabricate findings. Zero findings is a valid result; say plainly that the code held up and note the weakest point you probed anyway.
- Prefer one strong finding over several weak ones. False positives erode trust faster than missed bugs.
- Do not comment on style, naming, formatting, or micro-optimizations; those are out of scope for this review.
- Every claim needs a concrete trigger scenario. "This might be a problem" is not a finding.
- Do not modify the code. If the user wants fixes applied, do that as a separate step after they have seen the report.
How to use the Adversarial Code Review skill
Sign in to Zeplik
Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the Adversarial Code Review skill right away.
Describe your software development task
Ask in plain language, or type /adversarial-review to invoke the skill directly. Zeplik recognizes the Adversarial Code Review skill and applies its method.
Review and refine the result
Zeplik returns a clear, structured answer. Ask follow-ups in the same chat to refine it or take the next step.
Source and credit
- Author
- Sahil-SS9
- License
- MIT
Adapted from the open-source Sahil-SS9/hermaguard project and tuned to run natively on Zeplik. View source on GitHub.
Frequently asked questions
- What is the Adversarial Code Review skill?
- Adversarial Code Review is a ready-to-run software development skill on Zeplik. Hunt for bugs in code the user shares by assuming defects exist and attacking the code through several distinct lenses, then report severity-ranked findings with evidence. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer.
- How do I use Adversarial Code Review on Zeplik?
- Sign in to Zeplik and ask in plain language, or type /adversarial-review in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
- Which AI model does the Adversarial Code Review skill use?
- Any model you choose. Zeplik works across every model in one chat, so the Adversarial Code Review skill runs on your preferred model for the task.
- Where does the Adversarial Code Review skill come from?
- The Adversarial Code Review skill is adapted from the open-source Sahil-SS9/hermaguard project (MIT) and tuned to run natively on Zeplik. The original source is linked on this page.
- How much does the Adversarial Code Review skill cost?
- Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.
Related software development skills
- .NET BackendBuild ASP.NET Core 8+ backends with EF Core: auth, background jobs, production API patterns
- Advanced Git WorkflowsUse for advanced Git surgery: interactive rebase, cherry-pick, bisect, reflog recovery, and history cleanup before merging. Not for parallel worktree workflows (use using-git-worktrees).
- AI Agent FrameworksUse when building multi-agent systems or agent orchestration -- LangChain/LangGraph, agent team design, task coordination, pipelines. Not for authoring a Zeplik skill (use skill-creator).
- Algolia SearchAdd Algolia search: indexing strategies, React InstantSearch, relevance tuning, search-as-you-type
- Android CI/CDAutomate Android CI/CD to Google Play: keystore, GitHub Secrets, multi-stage release workflow for RN, Flutter, native
- Angular (v20+)Modern Angular v20+: Signals, standalone components, zoneless apps, SSR/hydration, reactive patterns
More on Zeplik
Try Adversarial Code Review on Zeplik
Every model, one chat. Bring the Adversarial Code Review skill into your next conversation and let the assistant do the work.