nsheaps/post-review
plugins/scm-utils/skills/post-review/SKILL.md
Post or update a review on GitHub. Use when asked to "post the review", "submit review", "leave a review on the PR", "update the review", or when you have review findings ready to publish on a pull request.
$ install --global
skillsauthnpx skillsauth add nsheaps/ai-mktpl post-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:14 PM49.8s1 file scanned
SKILL.md
- name:
- post-review
- description:
- >
- argument-hint:
- [PR number]
Post Review
Submit a structured review on a GitHub pull request.
Process
- Create a pending review:
gh api repos/{owner}/{repo}/pulls/{number}/reviews --method POST - Add inline comments on specific lines using the review's pending state
- Submit the review with a summary and verdict
Review Verdicts
| Verdict | When to use |
| ----------------- | ------------------------------------------------------- |
| APPROVE | No outstanding issues, ready to merge |
| COMMENT | Only P2 follow-ups remain (won't break if merged) |
| REQUEST_CHANGES | Must fix before merge (security, correctness, breaking) |
Summary Format
Use collapsible <details>/<summary> with shields.io badges for scores:
<details>
<summary>Review: Quality 85% | Security 92% | Simplicity 78%</summary>
[Detailed findings here]
</details>
**Follow-ups:**
- **P0**: [Critical — must fix before merge]
- **P1**: [Important — should fix before merge]
- **P2**: [Nice-to-have — can be a follow-up PR]
Guidelines
- Post inline comments on the specific lines they reference
- Keep the summary concise -- details go in inline comments
- Use conventional comment prefixes:
suggestion:,question:,issue:,nitpick: - Include a workflow run link or session reference in the footer
- When updating an existing review, resolve addressed threads first
References
- GitHub Pull Request Reviews API
- Conventional Comments
Related Skills
nsheaps/github-app-session-env
tools
VerifiedTrustedCommunity
Manually reproduce what the github-app plugin's SessionStart hook does to make a GitHub App installation token usable in the current session — materialize the PEM, generate the token, isolate GH_CONFIG_DIR, write the runtime env file, and wire CLAUDE_ENV_FILE so every Bash call sees GH_TOKEN/GITHUB_TOKEN. Use when the hook did not run, the token is missing from the environment, or a shell/teammate needs the token wired up by hand. <example>GH_TOKEN isn't set even though github-app is configured</example> <example>the github-app SessionStart hook didn't run, set up the token manually</example> <example>wire the github app token into CLAUDE_ENV_FILE</example> <example>gh keeps falling back to the wrong account, isolate GH_CONFIG_DIR</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/github-app-git-identity
tools
VerifiedTrustedCommunity
Manually configure the GitHub App bot git identity the way the github-app plugin's SessionStart hook does — resolve the app slug and bot user ID, build the <slug>[bot] name and noreply email, set GIT_AUTHOR_*/GIT_COMMITTER_* env vars, and write an isolated GIT_CONFIG_GLOBAL with the gh auth git-credential helper. Use when commits are attributed to the wrong account, "Author identity unknown" appears, or git identity must be set up by hand. <example>my commits are showing up as the handler, not the bot</example> <example>git says Author identity unknown after the github-app hook ran</example> <example>configure the github app bot git identity manually</example> <example>set up the gh credential helper for git push</example>
3SKILL.mdUpdated Jun 9, 2026
nsheaps/spec-management
tools
VerifiedTrustedCommunity
Manages spec files for requirements capture and validation
3SKILL.mdUpdated Jun 7, 2026
nsheaps/plugins/bash-command-rejection/skills/bash-chaining-alternatives
tools
VerifiedTrustedCommunity
# Bash Chaining Alternatives This skill teaches you how to work around the bash command chaining restriction enforced by this plugin. ## Why Chaining is Blocked The `bash-command-rejection` plugin blocks these operators: | Operator | Name | Why Blocked | | -------- | ---------- | ----------------------------------------------------------------------------------- | | `&&` | AND chain | Runs cmd2 only if cmd1 su
3SKILL.mdUpdated Jun 7, 2026