opendatahub-io/doc-post
helpers/skills/doc-post/SKILL.md
Use this skill to post validation and review findings as comments on a GitHub PR or GitLab MR. Reads workspace findings files and formats them as inline or summary comments.
$ install --global
skillsauthnpx skillsauth add opendatahub-io/ai-helpers doc-postInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 2, 2026, 6:15 AM161.7s1 file scanned
SKILL.md
- name:
- doc-post
- description:
- >
- argument-hint:
- <PR-URL> [--validation] [--review] [--all]
- model:
- claude-haiku-3-5
- effort:
- low
doc-post
Post validation and review findings as comments on a PR/MR.
Parse arguments
$ARGUMENTS contains:
- PR URL: GitHub or GitLab PR/MR URL (required)
- Flags (optional):
--validation: post validation findings only--review: post review findings only--all(default): post both validation and review findings
Step 1: Detect platform
From the PR URL, determine the platform:
github.com→ GitHub (useghCLI)- Other → GitLab (use GitLab API)
Step 2: Load findings
Based on flags, read the relevant findings files:
- Validation:
workspace/validation-findings.json - Review:
workspace/review-findings.json
If a requested file doesn't exist, warn and skip it.
Step 3: Format comments
Summary comment
Create a summary comment with an overview table:
## Documentation Review Results
| Category | High | Medium | Low | Total |
|----------|------|--------|-----|-------|
| Validation | 0 | 3 | 5 | 8 |
| Review | 1 | 2 | 3 | 6 |
| **Total** | **1** | **5** | **8** | **14** |
**Review confidence**: 0.78
### High-severity findings
1. **[ref_model-serving-params.adoc:42]** Technical inaccuracy: The documented API field 'replicas' should be 'minReplicas'
- **Suggestion**: Change 'replicas' to 'minReplicas' per the CRD type definition
### Medium-severity findings
1. **[con_model-serving.adoc:15]** Vale: Use 'Red Hat OpenShift AI' instead of 'RHOAI' on first reference
Inline comments (GitHub only)
For findings that reference specific files and lines in the PR's changed files:
- Get the list of changed files:
gh pr view <URL> --json files - For each finding that references a changed file, post an inline review comment
- For findings in files not in the PR diff, include them in the summary comment
Step 4: Post comments
GitHub
# Post summary comment
gh pr comment <PR-URL> --body "<summary>"
# Post inline review (if applicable)
gh api repos/{owner}/{repo}/pulls/{number}/reviews \
--method POST \
--field body="Documentation review complete" \
--field event="COMMENT" \
--field comments="[...]"
GitLab
Use the GitLab API to post merge request notes.
Step 5: Report
Report to caller:
- Number of comments posted
- Summary of findings posted
- Any findings that could not be posted (e.g., file not in PR diff)
Output
Comments posted on the PR/MR. No workspace file produced.
Stop conditions
- Halt: PR URL not provided or invalid
- Halt: No findings files exist
- Warn:
ghCLI not available (cannot post to GitHub) - Continue: Some inline comments fail to post (include in summary instead)
Related Skills
opendatahub-io/python-packaging-static-audit
development
VerifiedTrustedCommunity
Run hexora static analysis on a Python package repository to detect suspicious code patterns, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-git-audit
development
VerifiedTrustedCommunity
Inspect recent git history of a Python package repository for suspicious commits touching supply-chain-sensitive files, then triage findings with AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/python-packaging-binary-audit
development
VerifiedTrustedCommunity
Scan a Python package repository for compiled/binary files using Fromager-style detection and malcontent YARA analysis, then triage findings with deterministic rules and AI reasoning to produce a structured risk report section.
30SKILL.mdUpdated May 30, 2026
opendatahub-io/non-redhat-rpms
testing
VerifiedTrustedCommunity
Use this skill to identify non-Red Hat RPM packages installed in container images or on the local machine. For containers, pulls images across multiple architectures and release tags; for local scans, inspects the host directly. Extracts RPM signing metadata and reports packages not signed with the Red Hat GPG key as CSV output. Use when auditing compliance, checking supply-chain provenance, or scanning for third-party RPMs in RHOAI component images.
30SKILL.mdUpdated May 29, 2026