jmagly/pr-reviewer
agentic/code/frameworks/sdlc-complete/extensions/github/skills/pr-reviewer/SKILL.md
Review GitHub pull requests for code quality, security, and best practices. Use for automated PR feedback and approval workflows.
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg pr-reviewerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 28, 2026, 12:44 PM141.6s1 file scanned
SKILL.md
- namespace:
- aiwg
- name:
- pr-reviewer
- description:
- Review GitHub pull requests for code quality, security, and best practices. Use for automated PR feedback and approval workflows.
- tools:
- Read, Write, Bash, Glob, Grep
- platforms:
- [all]
PR Reviewer Skill
Purpose
Single responsibility: Review GitHub pull requests for quality, security, and adherence to project standards. (BP-4)
Grounding Checkpoint (Archetype 1 Mitigation)
Before executing, VERIFY:
- [ ] gh CLI is installed and authenticated
- [ ] PR number or URL is valid
- [ ] Repository has review permissions
- [ ] Review criteria are defined
DO NOT submit reviews without understanding the full diff.
Uncertainty Escalation (Archetype 2 Mitigation)
ASK USER instead of guessing when:
- Review scope unclear (security only vs full review)
- Approval authority undefined
- Conflicting with existing reviews
- Breaking changes detected
NEVER approve PRs automatically without user confirmation.
Context Scope (Archetype 3 Mitigation)
| Context Type | Included | Excluded | |--------------|----------|----------| | RELEVANT | PR diff, commit messages, linked issues | Unrelated files | | PERIPHERAL | Project standards, CI status | Other PRs | | DISTRACTOR | Historical PRs | Fork activity |
Workflow Steps
Step 1: Fetch PR Details (Grounding)
# Get PR information
gh pr view <number> --json title,body,author,files,additions,deletions,commits,reviews
# Get diff
gh pr diff <number>
# Check CI status
gh pr checks <number>
Step 2: Analyze Changes
# List changed files
gh pr view <number> --json files --jq '.files[].path'
# Get diff stats
gh pr view <number> --json additions,deletions --jq '"\(.additions) additions, \(.deletions) deletions"'
# Check for sensitive files
gh pr diff <number> | grep -E "(\.env|password|secret|key)" && echo "⚠️ Sensitive patterns detected"
Step 3: Review Categories
Code Quality:
# Check for common issues
gh pr diff <number> | grep -E "(console\.log|debugger|TODO|FIXME)" | head -20
Security:
# Security patterns
gh pr diff <number> | grep -E "(eval\(|innerHTML|dangerouslySetInnerHTML|exec\()" | head -10
Tests:
# Check test coverage
gh pr view <number> --json files --jq '.files[] | select(.path | test("test|spec")) | .path'
Step 4: Submit Review
Comment only:
gh pr review <number> --comment --body "$(cat <<'EOF'
## Code Review
### Summary
[Overview of changes]
### Observations
- Point 1
- Point 2
### Questions
- Question 1?
EOF
)"
Request changes:
gh pr review <number> --request-changes --body "Changes needed: [reason]"
Approve:
gh pr review <number> --approve --body "LGTM! ✅"
Recovery Protocol (Archetype 4 Mitigation)
On error:
- PAUSE - Don't submit partial reviews
- DIAGNOSE - Check error type:
Not found→ Verify PR numberPermission denied→ Check repo accessReview already exists→ Update existingCI pending→ Wait or note in review
- ADAPT - Adjust review scope
- RETRY - With corrected parameters (max 3 attempts)
- ESCALATE - Report issues to user
Checkpoint Support
State saved to: .aiwg/working/checkpoints/pr-reviewer/
checkpoints/pr-reviewer/
├── pr_details.json # PR metadata
├── diff_analysis.json # Change analysis
├── security_scan.json # Security findings
└── review_draft.md # Draft review
Review Template
## Code Review: PR #<number>
### Summary
<Brief overview of the PR purpose and changes>
### Review Checklist
- [ ] Code follows project style guide
- [ ] Tests added/updated for changes
- [ ] Documentation updated if needed
- [ ] No security vulnerabilities introduced
- [ ] CI checks passing
### Observations
#### ✅ Strengths
- Point 1
- Point 2
#### ⚠️ Concerns
- Concern 1 (file:line)
- Concern 2 (file:line)
#### ❓ Questions
- Question about design choice?
### Recommendation
- [ ] Approve
- [ ] Request changes
- [ ] Comment only
### Line Comments
| File | Line | Comment |
|------|------|---------|
| src/foo.ts | 42 | Consider using const |
Common Commands
| Command | Purpose |
|---------|---------|
| gh pr view <n> | View PR details |
| gh pr diff <n> | View diff |
| gh pr checks <n> | CI status |
| gh pr review <n> | Submit review |
| gh pr comment <n> | Add comment |
| gh pr merge <n> | Merge PR |
References
- GitHub CLI PR commands: https://cli.github.com/manual/gh_pr
- REF-001: Production-Grade Agentic Workflows (BP-4)
- REF-002: LLM Failure Modes (Archetype 2 over-helpfulness)
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026