onomojo/review-and-pr
sandstorm-cli/skills/review-and-pr/SKILL.md
Use this skill whenever the user is ready to publish the work from an existing Sandstorm stack — reviewing the diff, pushing to its branch, opening a pull request, and recording the PR on the stack. Trigger phrases include: 'make a PR for stack X', 'publish stack X', 'push and PR stack X', 'the diff looks good, ship it', 'open a pull request for stack X', 'finalize stack X', 'commit and push stack X to a PR'. This is the end-of-workflow publish step for a stack that has completed its task and whose diff the user has seen (or is about to see via this skill). Do NOT trigger for: pushing WITHOUT a PR, creating a stack from scratch, dispatching new work, or any workflow where there are no changes to publish. Do NOT trigger if the stack is still running — the skill assumes the task is finished.
$ install --global
skillsauthnpx skillsauth add onomojo/sandstorm-desktop review-and-prInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 4:14 AM4.4s2 files scanned
SKILL.md
- name:
- review-and-pr
- description:
- Use this skill whenever the user is ready to publish the work from an existing Sandstorm stack — reviewing the diff, pushing to its branch, opening a pull request, and recording the PR on the stack. Trigger phrases include: 'make a PR for stack X', 'publish stack X', 'push and PR stack X', 'the diff looks good, ship it', 'open a pull request for stack X', 'finalize stack X', 'commit and push stack X to a PR'. This is the end-of-workflow publish step for a stack that has completed its task and whose diff the user has seen (or is about to see via this skill). Do NOT trigger for: pushing WITHOUT a PR, creating a stack from scratch, dispatching new work, or any workflow where there are no changes to publish. Do NOT trigger if the stack is still running — the skill assumes the task is finished.
/review-and-pr
End-to-end publish flow. Two phases; run them in order.
Phase 1 — preview
Show the uncommitted changes in the stack so you can craft a meaningful PR title and body:
bash "$SANDSTORM_SKILLS_DIR/review-and-pr/scripts/review-and-pr.sh" preview <stack-id>
The script prints the diff unchanged. Read it. If it's empty (DIFF_EMPTY), tell the user there's nothing to publish and stop — do NOT call phase 2.
Phase 2 — publish
Craft a PR title and body:
- Title — short, under ~70 chars, follows the project's recent commit/PR style. If the stack has a ticket number, lead with the ticket context (e.g. "Fix auth token expiry (#28)").
- Body — a task-completion summary, per
feedback_pr_descriptions.md: what was done, why, anything notable. NOT generic boilerplate.
Pipe the body on stdin:
echo "<PR body text>" | bash "$SANDSTORM_SKILLS_DIR/review-and-pr/scripts/review-and-pr.sh" publish <stack-id> "<PR title>"
The script commits + pushes the stack's branch, opens the PR via the project's .sandstorm/scripts/create-pr.sh, parses out the PR number and URL, and records them back against the stack via set_pr. It prints one line:
OK stack=<id> pr=<number> url=<url>
Or on failure: ERROR phase=<phase> reason=<...>.
Relay the line to the user.
Hard rules
- Never skip phase 1. The user sees the diff (via your summary) before anything is pushed.
- Never call
get_diff,push_stack, orset_prMCP tools directly. This skill is the only path for this workflow. - Never pass
mainas a branch name. Branches default to the stack name; don't override. - One stack per invocation.
Related Skills
onomojo/stack-failure-diagnostic
development
VerifiedTrustedCommunity
Use this skill when the user reports a stack appears broken, stuck, looping, failed, or otherwise not working — and wants to understand WHY (not just restart it). Trigger phrases include: 'stack N doesn't seem to be working', 'stack N isn't working', 'stack N failed for some reason / why did stack N fail / what went wrong with stack N', 'stack N seems stuck / got stuck / stuck in an infinite loop / keeps looping / did N loops and failed', 'take a look at stack N, something went wrong / it's broken / something's clearly wrong', 'stack N hit NEEDS HUMAN INTERVENTION / keeps failing / errored out', 'figure out what's happening / going on with stack N', 'give me a summary of what happened with stack N / diagnose stack N'. The skill reads the stack's dual-loop artifacts (phase timings, review verdicts, execution summaries) from inside its container and returns one structured report — avoiding the 40+ Bash-exploration sub-turns the orchestrator would otherwise make. Make sure to use this skill for ANY request that involves diagnosing a stack's failure, loop behavior, or why it stopped working — even when the user phrases it gently (e.g., 'doesn't seem to be working', 'not sure what's going on', 'can you take a look') as long as there is a failure or malfunction signal present. Falling back to raw Bash exploration of the stack's internals costs 1M+ tokens. Do NOT trigger for: status-only 'is stack N done?' / 'what's the status of stack N' (that's check-and-resume-stack), diff/logs inspection on a working stack with no failure signal (stack-inspect), or creating a new stack.
5SKILL.mdUpdated Apr 22, 2026
onomojo/stack-teardown
testing
VerifiedTrustedCommunity
Use this skill ONLY when the user has EXPLICITLY asked to tear down, destroy, remove, or dismantle a named Sandstorm stack. Trigger phrases include: 'tear down stack X', 'destroy stack X', 'remove stack X', 'dismantle stack X', 'clean up stack X and all its containers', 'I'm done with stack X, kill it'. This skill stops containers, removes the workspace, and archives the stack — it is IRREVERSIBLE and can lose unpushed work. Do NOT trigger on ambiguous phrases like 'clean up', 'reset', 'start over', 'remove the old one', 'stack is broken', or anything that might imply teardown without literal user words like tear down / destroy / delete. Do NOT trigger for: stopping containers (that's pause, not teardown), checking status, failure recovery, or as a precursor to creating a new stack. When in doubt, ASK the user before running.
5SKILL.mdUpdated Apr 20, 2026
onomojo/stack-pr
tools
VerifiedTrustedCommunity
Use this skill whenever the user wants to record/link/associate a pull request with an existing Sandstorm stack. Trigger phrases include: 'record PR #N for stack X', 'set PR for stack X to #N', 'link PR https://github.com/.../pull/N to stack X', 'save the PR info on stack X', 'stack X's PR is #N'. Use this after a PR has been opened externally (via gh CLI, the GitHub UI, or push_stack's downstream flow) and the user wants the Sandstorm registry to know about it — the stack status flips to pr_created and the URL/number are stored. Do NOT trigger for: creating the PR itself (that's a separate gh CLI / push flow), tearing down the stack, checking stack status, or unrelated PR operations like merging or closing.
5SKILL.mdUpdated Apr 20, 2026
onomojo/stack-inspect
testing
VerifiedTrustedCommunity
Use this skill whenever the user wants to see DETAILED output, logs, or uncommitted changes from a specific Sandstorm stack. Trigger phrases include: 'show me the output of stack X', 'what did stack X log', 'show the task output for X', 'show container logs for stack X', 'what changed in stack X', 'show me the diff in stack X', 'what's happening inside stack X', 'dump stack X's output', 'get logs for stack X's claude container'. The skill covers three read-only probes — task output, container logs, and uncommitted diff — as subcommands. Do NOT trigger for: a quick status check (that's check-and-resume-stack), listing all stacks (that's list-stacks), or anything that modifies state. Prefer the narrower subcommand (output / logs / diff) over 'all' when the user is specific about what they want.
5SKILL.mdUpdated Apr 20, 2026