sampx/wsf-code-review
skills/wsf-code-review/SKILL.md
Review source files changed during a phase for bugs, security issues, and code quality problems
$ install --global
skillsauthnpx skillsauth add sampx/agent-tools wsf-code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 11, 2026, 4:18 AM28.4s1 file scanned
SKILL.md
- name:
- wsf-code-review
- description:
- Review source files changed during a phase for bugs, security issues, and code quality problems
- argument-hint:
- <phase-number> [project] [--depth=quick|standard|deep] [--files file1,file2,...]
- read:
- true
- bash:
- true
- glob:
- true
- grep:
- true
- write:
- true
- task:
- true
<objective>
Review source files changed during a phase for bugs, security vulnerabilities, and code quality problems.
Spawns the wsf-code-reviewer agent to analyze code at the specified depth level. Produces REVIEW.md artifact in the phase directory with severity-classified findings.
Arguments:
- Phase number (required) — which phase's changes to review (e.g., "2" or "02")
--depth=quick|standard|deep(optional) — review depth level, overrides workflow.code_review_depth config- quick: Pattern-matching only (~2 min)
- standard: Per-file analysis with language-specific checks (~5-15 min, default)
- deep: Cross-file analysis including import graphs and call chains (~15-30 min)
--files file1,file2,...(optional) — explicit comma-separated file list, skips SUMMARY/git scoping (highest precedence for scoping)
Output: {padded_phase}-REVIEW.md in phase directory + inline summary of findings </objective>
<execution_context> @/Users/sam/coding/wopal/wopal-workspace/.wopal/wsf/workflows/code-review.md </execution_context>
<context> Phase: $ARGUMENTS (first positional argument is phase number) Project: optional second positional argument (e.g., `space-flow`). If specified, resolve to `$PROJECT_ROOT=projects/<project>/` via `wsf-tools init`.Optional flags parsed from $ARGUMENTS:
--depth=VALUE— Depth override (quick|standard|deep). If provided, overrides workflow.code_review_depth config.--files=file1,file2,...— Explicit file list override. Has highest precedence for file scoping per D-08. When provided, workflow skips SUMMARY.md extraction and git diff fallback entirely.
Context files (AGENTS.md, SUMMARY.md, phase state) are resolved inside the workflow via wsf-tools init phase-op and delegated to agent via <files_to_read> blocks.
</context>
Execute the code-review workflow from @/Users/sam/coding/wopal/wopal-workspace/.wopal/wsf/workflows/code-review.md end-to-end.
The workflow (not this command) enforces these gates:
- Phase validation (before config gate)
- Config gate check (workflow.code_review)
- File scoping (--files override > SUMMARY.md > git diff fallback)
- Empty scope check (skip if no files)
- Agent spawning (wsf-code-reviewer)
- Result presentation (inline summary + next steps) </process>
Related Skills
sampx/ellamaka-config
tools
VerifiedTrustedCommunity
Configure ellamaka, a fork of OpenCode with wopal-space mode. MUST use for any task about ellamaka config, agent frontmatter, permission rules, model/provider selection, formatter settings, config loading order, or why config changes are ignored. Trigger on requests about ellamaka or opencode config files, agent permission overrides, restricting subagents, custom/plugin tool permissions (e.g. wopal_task_*), disabling tools, configuring providers or models, formatter setup, config precedence or layering, or debugging settings that do not take effect. Use this skill even when the user says "opencode" if the actual runtime, config path, or behavior is ellamaka. Prefer this skill whenever the answer depends on the difference between ellamaka and upstream opencode, including wopal-space config loading, plugin tool permissions, or agent frontmatter precedence.
1SKILL.mdUpdated May 31, 2026
sampx/df-plan-review
development
VerifiedTrustedCommunity
Plan quality verification for dev-flow. Goal-backward analysis ensures plans WILL achieve their stated goal before execution burns context. ⚠️ MUST use when: (1) Reviewing Plan quality before approve (2) Wopal completes Plan writing and needs quality gate (3) User asks to "check plan", "verify plan", "review plan" (4) Plan enters planning status and needs pre-execution validation 🔴 Trigger automatically when Plan is ready for review, even if user doesn't explicitly say "review". Agent: rook (read-only verification subagent) Mode: verification, not execution
1SKILL.mdUpdated May 31, 2026
sampx/df-implement-review
development
VerifiedTrustedCommunity
Review implementation results for goal achievement and code quality. Supports both Plan-backed review and planless diff review. ⚠️ MUST use when: (1) Wopal delegates rook to review fae implementation output, (2) Prompt contains "review_type: implementation", (3) Prompt contains changed code file list or Plan path + implementation scope, (4) Any code review request from Wopal. 🔴 Trigger even when user does not explicitly mention "review" if the task involves verifying implementation results. This skill is rook-exclusive (only rook agent can load it).
1SKILL.mdUpdated May 31, 2026
sampx/agents-collab
tools
VerifiedTrustedCommunity
Foundation rules for how Wopal collaborates with sub-agents such as fae and rook. ⚠️ MUST load before ANY delegation — covers delegation tool APIs, task lifecycle, notifications, status handling, and recovery. 🔴 Trigger: "delegate", "let fae implement", "fae task", "rook review", "check task status", "cancel task", "abort task", "agent collaboration", "委派", "让 fae 执行", "fae 任务", "rook 审查", "检查状态", or any intent to hand work to a sub-agent. 🔴 Never delegate without loading this skill first. Skipping it is serious negligence. Note: this skill does not include workflow-specific prompt templates such as dev-flow templates. Those belong to the corresponding workflow skills.
1SKILL.mdUpdated May 31, 2026