nsheaps/automated-code-review
plugins/scm-utils/skills/automated-code-review/SKILL.md
Perform a comprehensive automated code review using granular review skills. Orchestrates review-pr-contents, review-commits, review-commit-messages, review-diff, review-code, validate-review, and post-review as building blocks. Use this for new review workflows — scm-utils:code-review is maintained for backward compatibility with Henry's CI workflow.
$ install --global
skillsauthnpx skillsauth add nsheaps/ai-mktpl automated-code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:13 PM64.7s1 file scanned
SKILL.md
- name:
- automated-code-review
- description:
- >
- Use this for new review workflows — scm-utils:
- code-review is maintained for
- argument-hint:
- [PR number or branch name]
Note:
scm-utils:code-reviewis the legacy skill used by Henry's CI review workflow. This skill is the recommended replacement for new review workflows.
Automated Code Review
A comprehensive code review workflow that orchestrates multiple granular review skills in sequence. Each skill performs a focused review dimension, then results are validated and posted as a structured GitHub review.
Review Sequence
The automated code review runs the following skills in order:
- review-pr-contents — Check PR title, body, labels, and metadata for completeness and clarity
- review-commits — Evaluate commit structure, atomicity, and whether commits are focused and logical
- review-commit-messages — Verify commit messages follow conventions and clearly describe changes
- review-diff — Check the diff against the base branch for scope, completeness, and coherence
- review-code — Evaluate code quality, patterns, correctness, security, and maintainability
- validate-review — Verify that all findings are accurate and actionable (not false positives)
- post-review — Format and submit the review on GitHub with a structured summary and verdict
If Issues Are Found
If review findings indicate problems that should be fixed:
- fix-review-findings — Address each finding in the code
- Re-review — Run the review sequence again to verify fixes
What Gets Reviewed
PR Contents (review-pr-contents)
- PR title (under 70 chars, descriptive, starts with verb)
- Body (explains what changed and why)
- Test plan (includes verification steps)
- Links (references related issues, specs, discussions)
- Labels (appropriate labels applied)
- Draft state (draft if in progress, ready if complete)
Commits (review-commits)
- Commit structure and atomicity
- Whether commits are focused and logical
- Commit granularity (not too large, not too fine-grained)
Commit Messages (review-commit-messages)
- Message conventions (following project standards)
- Clarity (does it describe the change clearly?)
- Grammar and tone
Diff (review-diff)
- Scope (does the diff match the stated goal?)
- Completeness (are all necessary changes included?)
- Coherence (do changes form a logical whole?)
- Reversibility (could this be cleanly reverted?)
- Side effects (no unrelated file changes)
Code (review-code)
- Correctness (does code do what it claims?)
- Security (injection, auth, secrets, unsafe APIs)
- Performance (bottlenecks, N+1 queries, unnecessary copying)
- Maintainability (readability, understandability)
- Simplicity (unnecessary complexity?)
- Pattern match (follows existing codebase conventions)
- Error handling (errors caught, logged, surfaced appropriately)
Workflow
User Request
↓
review-pr-contents → PR title/body/labels findings
↓
review-commits → Commit structure findings
↓
review-commit-messages → Message convention findings
↓
review-diff → Diff scope/completeness findings
↓
review-code → Code quality/pattern findings
↓
validate-review → Verify all findings are accurate
↓
post-review → Submit GitHub review with verdict
↓
[If issues found]
fix-review-findings → Address issues
↓
Re-run automated-code-review
Review Verdicts
| Verdict | When |
| ----------------- | ------------------------------------------------------- |
| APPROVE | No outstanding issues, ready to merge |
| COMMENT | Only P2 follow-ups remain (won't break if merged) |
| REQUEST_CHANGES | Must fix before merge (security, correctness, breaking) |
When to Use This Skill
- Comprehensive code review of a pull request
- Setting up automated review in new workflows
- Need detailed feedback across all review dimensions
- Want structured, repeatable review process
When to Use code-review Instead
- Working with Henry's CI review bot workflow
- Need to trigger the automated CI review via labels
- Legacy workflow compatibility required
Granular Skills Reference
This skill orchestrates these specialized review skills:
scm-utils:review-pr-contents— Review PR metadata and presentationscm-utils:review-commits— Review commit structure and organizationscm-utils:review-commit-messages— Review commit message conventionsscm-utils:review-diff— Review diff scope and completenessscm-utils:review-code— Review code quality and correctnessscm-utils:validate-review— Verify review findings are accuratescm-utils:post-review— Post the review on GitHubscm-utils:fix-review-findings— Address review findings
External References
- granular review skills — Individual skill documentation
- GitHub API review docs — GitHub review API reference
- Claude Code MCP tools — Available MCP tools for GitHub
Related Skills
nsheaps/github-app-session-env
tools
VerifiedTrustedCommunity
Manually reproduce what the github-app plugin's SessionStart hook does to make a GitHub App installation token usable in the current session — materialize the PEM, generate the token, isolate GH_CONFIG_DIR, write the runtime env file, and wire CLAUDE_ENV_FILE so every Bash call sees GH_TOKEN/GITHUB_TOKEN. Use when the hook did not run, the token is missing from the environment, or a shell/teammate needs the token wired up by hand. <example>GH_TOKEN isn't set even though github-app is configured</example> <example>the github-app SessionStart hook didn't run, set up the token manually</example> <example>wire the github app token into CLAUDE_ENV_FILE</example> <example>gh keeps falling back to the wrong account, isolate GH_CONFIG_DIR</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/github-app-git-identity
tools
VerifiedTrustedCommunity
Manually configure the GitHub App bot git identity the way the github-app plugin's SessionStart hook does — resolve the app slug and bot user ID, build the <slug>[bot] name and noreply email, set GIT_AUTHOR_*/GIT_COMMITTER_* env vars, and write an isolated GIT_CONFIG_GLOBAL with the gh auth git-credential helper. Use when commits are attributed to the wrong account, "Author identity unknown" appears, or git identity must be set up by hand. <example>my commits are showing up as the handler, not the bot</example> <example>git says Author identity unknown after the github-app hook ran</example> <example>configure the github app bot git identity manually</example> <example>set up the gh credential helper for git push</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/spec-management
tools
VerifiedTrustedCommunity
Manages spec files for requirements capture and validation
3SKILL.mdUpdated Jun 7, 2026
nsheaps/plugins/bash-command-rejection/skills/bash-chaining-alternatives
tools
VerifiedTrustedCommunity
# Bash Chaining Alternatives This skill teaches you how to work around the bash command chaining restriction enforced by this plugin. ## Why Chaining is Blocked The `bash-command-rejection` plugin blocks these operators: | Operator | Name | Why Blocked | | -------- | ---------- | ----------------------------------------------------------------------------------- | | `&&` | AND chain | Runs cmd2 only if cmd1 su
3SKILL.mdUpdated Jun 7, 2026