Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

jawwadfirdousi/read-only-gh-pr-review

Name: read-only-gh-pr-review
Author: jawwadfirdousi

read-only-gh-pr-review/skills/read-only-gh-pr-review/SKILL.md

npx skillsauth add jawwadfirdousi/agent-skills read-only-gh-pr-review

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

PR Review (Backend, GitHub CLI)

Overview

Review backend pull requests end-to-end using local code analysis and GitHub CLI API calls. Report only actionable, high-signal findings.

Tool Constraints

Use only: SemanticSearch, WebSearch, Grep, LS, Glob, Read, Shell, GitHub CLI.
Before any gh command, source the read-only environment script to enable security enforcement:
```
source "<SKILL_DIR>/scripts/activate-gh-readonly.sh"
```
Replace <SKILL_DIR> with the absolute path to this skill directory.
After sourcing, use gh commands directly—they are intercepted by the read-only wrapper.
Verify CLI auth first with gh auth status. If not authenticated, ask the user to run gh auth login.
Enforce strict read-only mode at all times.
Never attempt any write operation, including comments, reviews, edits, assignments, merges, closes, reopens, or API mutations.
If a requested command is blocked by the wrapper, do not try alternatives that can mutate state.
The read-only wrapper blocks command gh and other bypass attempts.

Workflow

Enable read-only environment.
- Source the environment script: source "<SKILL_DIR>/scripts/activate-gh-readonly.sh"
- All subsequent gh commands in this shell session are now protected.
Prepare review context.
- Confirm identity and auth: gh auth status, gh api user.
- Resolve repository owner/name from the current repo or pass -R <OWNER>/<REPO>.
Resolve the target PR.
- Use gh pr view <PR_NUMBER> [--json <fields>] when PR number is known.
- Otherwise shortlist with gh pr list [flags] and pick the target PR.
Sync local repository to the latest PR branch code.
- Fetch the latest remote state for the PR head branch before reviewing code.
- Example flow:
  - Get head branch name from PR metadata (headRefName).
  - Run git fetch --prune origin <HEAD_BRANCH>.
  - Review files from FETCH_HEAD or check out a local review branch from it.
Gather full PR evidence before judging.
- Metadata: gh pr view <PR_NUMBER> [--json <fields>]
- Diff: gh pr diff <PR_NUMBER> [--patch|--name-only]
- Changed files: gh api repos/<OWNER>/<REPO>/pulls/<PR_NUMBER>/files --paginate
- Reviews: gh api repos/<OWNER>/<REPO>/pulls/<PR_NUMBER>/reviews --paginate
- Checks: gh pr checks <PR_NUMBER> [--json <fields>]
- Comments:
  - gh pr view <PR_NUMBER> --comments
  - gh api repos/<OWNER>/<REPO>/issues/<PR_NUMBER>/comments --paginate
  - gh api repos/<OWNER>/<REPO>/pulls/<PR_NUMBER>/comments --paginate
Inspect changed backend code deeply.
- Read all high-risk touched files locally (Read, Grep) and correlate with diff hunks.
- Prioritize request handlers/controllers, business services, authorization logic, database queries, migrations, background jobs, and queue/event handlers.
- Verify idempotency, transaction safety, concurrency behavior, retry behavior, and backward compatibility for public API contracts.
- Use gh api repos/<OWNER>/<REPO>/contents/<PATH>?ref=<REF> when exact remote content is needed (content is usually base64 in .content).
Apply review checklist with risk-first ordering.
- Use references/review-checklist.md.
- Cover security, correctness, data integrity, API compatibility, performance, and test sufficiency before style concerns.
Produce actionable review output.
- Report only issues that are likely defects, regressions, or maintainability risks.
- Include exact file:line, impact, and concrete fix guidance.
- End with residual risk and missing validation/testing assumptions.
- Return findings in chat only; do not write any comment or review back to GitHub.

Response Format

Use this section order:

Critical Issues (Must Fix)
Important Issues (Should Fix)
Suggestions (Consider)
Good Practices Noted

For each issue, use:

Issue: <brief description>
Location: <file:line>
Severity: <Critical|High|Medium|Low>
Problematic Code: <snippet or precise behavior>
Suggestion: <specific fix>
Example: <optional patch-style snippet>

GitHub CLI API Equivalents

Use command mappings in references/github-cli-map.md.

Review Tone

Be constructive and specific.
Explain impact and rationale.
Assume positive intent.
Prefer concise, high-confidence feedback.

jawwadfirdousi/read-only-gh-pr-review

read-only-gh-pr-review/skills/read-only-gh-pr-review/SKILL.md

Review backend pull requests for correctness, security, performance, maintainability, and test coverage using GitHub CLI plus local repository inspection. Use when asked to review service-layer/API/database changes, audit backend branch diffs, summarize backend risk, or produce actionable must-fix/should-fix feedback.

10 stars

tools

Updated May 29, 2026

$ install --global

skillsauth

npx skillsauth add jawwadfirdousi/agent-skills read-only-gh-pr-review

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 29, 2026, 8:20 AM167.1s7 files scanned

SKILL.md

name:: read-only-gh-pr-review
description:: Review backend pull requests for correctness, security, performance, maintainability, and test coverage using GitHub CLI plus local repository inspection. Use when asked to review service-layer/API/database changes, audit backend branch diffs, summarize backend risk, or produce actionable must-fix/should-fix feedback.
compatibility:: Requires GitHub CLI (gh), an authenticated GitHub account, and network access.

PR Review (Backend, GitHub CLI)

Overview

Review backend pull requests end-to-end using local code analysis and GitHub CLI API calls. Report only actionable, high-signal findings.

Tool Constraints

Use only: SemanticSearch, WebSearch, Grep, LS, Glob, Read, Shell, GitHub CLI.
Before any gh command, source the read-only environment script to enable security enforcement:
```
source "<SKILL_DIR>/scripts/activate-gh-readonly.sh"
```
Replace <SKILL_DIR> with the absolute path to this skill directory.
After sourcing, use gh commands directly—they are intercepted by the read-only wrapper.
Verify CLI auth first with gh auth status. If not authenticated, ask the user to run gh auth login.
Enforce strict read-only mode at all times.
Never attempt any write operation, including comments, reviews, edits, assignments, merges, closes, reopens, or API mutations.
If a requested command is blocked by the wrapper, do not try alternatives that can mutate state.
The read-only wrapper blocks command gh and other bypass attempts.

Workflow

Enable read-only environment.
- Source the environment script: source "<SKILL_DIR>/scripts/activate-gh-readonly.sh"
- All subsequent gh commands in this shell session are now protected.
Prepare review context.
- Confirm identity and auth: gh auth status, gh api user.
- Resolve repository owner/name from the current repo or pass -R <OWNER>/<REPO>.
Resolve the target PR.
- Use gh pr view <PR_NUMBER> [--json <fields>] when PR number is known.
- Otherwise shortlist with gh pr list [flags] and pick the target PR.
Sync local repository to the latest PR branch code.
- Fetch the latest remote state for the PR head branch before reviewing code.
- Example flow:
  - Get head branch name from PR metadata (headRefName).
  - Run git fetch --prune origin <HEAD_BRANCH>.
  - Review files from FETCH_HEAD or check out a local review branch from it.
Gather full PR evidence before judging.
- Metadata: gh pr view <PR_NUMBER> [--json <fields>]
- Diff: gh pr diff <PR_NUMBER> [--patch|--name-only]
- Changed files: gh api repos/<OWNER>/<REPO>/pulls/<PR_NUMBER>/files --paginate
- Reviews: gh api repos/<OWNER>/<REPO>/pulls/<PR_NUMBER>/reviews --paginate
- Checks: gh pr checks <PR_NUMBER> [--json <fields>]
- Comments:
  - gh pr view <PR_NUMBER> --comments
  - gh api repos/<OWNER>/<REPO>/issues/<PR_NUMBER>/comments --paginate
  - gh api repos/<OWNER>/<REPO>/pulls/<PR_NUMBER>/comments --paginate
Inspect changed backend code deeply.
- Read all high-risk touched files locally (Read, Grep) and correlate with diff hunks.
- Prioritize request handlers/controllers, business services, authorization logic, database queries, migrations, background jobs, and queue/event handlers.
- Verify idempotency, transaction safety, concurrency behavior, retry behavior, and backward compatibility for public API contracts.
- Use gh api repos/<OWNER>/<REPO>/contents/<PATH>?ref=<REF> when exact remote content is needed (content is usually base64 in .content).
Apply review checklist with risk-first ordering.
- Use references/review-checklist.md.
- Cover security, correctness, data integrity, API compatibility, performance, and test sufficiency before style concerns.
Produce actionable review output.
- Report only issues that are likely defects, regressions, or maintainability risks.
- Include exact file:line, impact, and concrete fix guidance.
- End with residual risk and missing validation/testing assumptions.
- Return findings in chat only; do not write any comment or review back to GitHub.

Response Format

Use this section order:

Critical Issues (Must Fix)
Important Issues (Should Fix)
Suggestions (Consider)
Good Practices Noted

For each issue, use:

Issue: <brief description>
Location: <file:line>
Severity: <Critical|High|Medium|Low>
Problematic Code: <snippet or precise behavior>
Suggestion: <specific fix>
Example: <optional patch-style snippet>

GitHub CLI API Equivalents

Use command mappings in references/github-cli-map.md.

Review Tone

Be constructive and specific.
Explain impact and rationale.
Assume positive intent.
Prefer concise, high-confidence feedback.

Related Skills

jawwadfirdousi/trello

development

VerifiedTrustedCommunity

Manage Trello boards, lists, and cards via the Trello REST API.

10SKILL.mdUpdated May 29, 2026

jawwadfirdousi/trello

jawwadfirdousi/svg-creator

development

VerifiedTrustedCommunity

create, edit, review, validate, and package high-quality svg graphics, icons, illustrations, diagrams, logos, charts, patterns, and inline svg code. use when the user asks to make a beautiful svg, generate an .svg file, fix or optimize svg markup, convert a visual concept into svg, design an icon system, or verify svg accessibility, safety, path data, viewbox, gradients, masks, filters, and browser-safe rendering.

10SKILL.mdUpdated May 29, 2026

jawwadfirdousi/svg-creator

jawwadfirdousi/supabase

development

VerifiedTrustedCommunity

Run Supabase Management API SQL for persistent data tasks such as querying records, applying schema changes, managing policies, and handling storage metadata. Use when requests involve Supabase database CRUD, migrations, or production-like data inspection.

10SKILL.mdUpdated May 29, 2026

jawwadfirdousi/supabase

jawwadfirdousi/read-only-postgres

testing

VerifiedTrustedCommunity

Execute read-only SQL queries against PostgreSQL databases. Use when: (1) querying PostgreSQL data, (2) exploring schemas/tables, (3) running SELECT queries for analysis, (4) checking database contents. Supports multiple database connections with descriptions for auto-selection. Blocks all write operations (INSERT, UPDATE, DELETE, DROP, etc.) for safety.

10SKILL.mdUpdated May 29, 2026

jawwadfirdousi/read-only-postgres

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/jawwadfirdousi/agent-skills.git

# Copy into Claude Code skills folder (global)
cp -r agent-skills/read-only-gh-pr-review/skills/read-only-gh-pr-review ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

jawwadfirdousi/agent-skills

10 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT