Structured PR code review with layered analysis and severity tiers. Two modes: (1) Giving reviews — walk through security, correctness, conventions, IaC, and...
Security Analysis
medium confidenceThe skill's instructions, files, and requirements are coherent with a PR review / addressing workflow: it uses only the gh CLI to read and modify PRs, clone branches, commit fixes, reply to comments, and resolve threads.
The name/description (structured PR review, two modes) matches the instructions and reference files. All declared capabilities (fetch PR, walk review layers, reply/resolve, push fixes) are relevant to the stated purpose; there are no unrelated requirements (no unexpected cloud keys, weird binaries, or network endpoints).
The SKILL.md and references explicitly instruct the agent to clone repositories, checkout PR branches, modify files, commit, push, post replies, and resolve review threads via gh API/GraphQL. That is within the 'addressing reviews' mode, but it grants the skill permission to make and push changes to repositories and to mark threads resolved. Users should be aware that addressing mode is not read-only: it performs write operations on the target repo.
Instruction-only skill with no install spec and no bundled code. This minimizes disk-installed risk; it relies on the system-provided gh CLI and git being available.
No environment variables are declared, but the skill implicitly requires a configured gh/git environment (authenticated gh session or git credentials) with sufficient scopes to read/clone, comment, resolve threads, and push branches. The skill does not request unrelated credentials, but users must ensure the agent's GitHub credential/token has appropriate (least-privilege) scopes before use.
always:false (good). The skill can perform autonomous actions (disable-model-invocation:false is normal), and those actions include pushing commits and resolving threads. If the agent is allowed to invoke skills autonomously, this write capability increases blast radius — consider requiring user confirmation before making push/resolve operations or restricting the skill to review-only for less risk.
Guidance
This skill is coherent for reviewing and addressing PRs, but it will make changes: it clones repos, edits files, commits, pushes, posts replies, and resolves threads using the gh CLI. Before installing/using: (1) ensure the environment running the agent has gh and git installed and a GitHub login configured; (2) verify the GitHub token/credentials used by gh have the minimum scopes needed (repo access only as required) and are not organization-wide admin tokens; (3) prefer using review-only (giving reviews) unless you explicitly want the agent to push fixes — test addressing-mode on a fork or test repo first; (4) if you plan to allow autonomous invocation, require an approval step before any push/merge/resolve actions; (5) audit commits/pushes created by the agent and rotate tokens if unexpected changes occur.
Latest Release
v0.1.0
Initial release — 5-layer review framework, severity tiers, addressing workflow, customizable conventions and IaC checklist
More by @ggettert
Published by @ggettert on ClawHub
