OSOP Workflow Reviewer

Review a workflow or execution log for risks and issues.

Target file

$ARGUMENTS

What to do

1. 1. Read the file specified in the argument (.osop or .osoplog.yaml)

1. 2. Analyze for risks — check each node for:

- security.risk_level: high|critical without preceding approval_gate - security.permissions containing broad patterns (write:*, admin:*, delete:*) - cli nodes with destructive commands (rm -rf, kubectl delete, terraform destroy, DROP TABLE) - Hardcoded secrets (strings starting with sk-, ghp_, xoxb-, API keys) - Agent nodes without cost.estimated (unbounded cost exposure) - Missing timeout_sec on external call nodes (api, cli, agent, infra, mcp) - Missing error handling (no fallback/error edge) on medium+ risk nodes

1. 3. Compute risk score (0-100):

- Each node: type_weight * risk_multiplier * mitigation_factor - Type weights: cli=2, infra=2, db=1.5, agent=1.5, docker=1.5, cicd=1.5, api=1, others=0.5-1 - Risk multiplier: low=1, medium=2, high=4, critical=8 - Mitigations: approvalgate=-50%, retrypolicy=-10%, fallback_edge=-20% - Finding penalty: low=+2, medium=+5, high=+10, critical=+20

1. 4. Present findings in a clear table:

CODEBLOCK0

1. 5. Summarize:

- Total permissions required - Secrets referenced - Estimated cost (if any) - Whether approval gates exist - Final verdict: is this safe to run?

For .osoplog files

If reviewing an execution log, also check:

• - Which tools were actually used and how many calls
• Whether any nodes failed and why
• AI reasoning decisions — were they sound?
• Sub-agent hierarchy — was the spawning appropriate?
• Total execution time and cost