Structured PR Review

v0.1.0

Structured PR code review with layered analysis and severity tiers. Two modes: (1) Giving reviews — walk through security, correctness, conventions, IaC, and...

⭐ 2· 72·0 current·0 all-time

byGrace Gettert@ggettert

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ggettert/structured-pr-review.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Structured PR Review" (ggettert/structured-pr-review) from ClawHub.
Skill page: https://clawhub.ai/ggettert/structured-pr-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install structured-pr-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install structured-pr-review

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The name/description (structured PR review, two modes) matches the instructions and reference files. All declared capabilities (fetch PR, walk review layers, reply/resolve, push fixes) are relevant to the stated purpose; there are no unrelated requirements (no unexpected cloud keys, weird binaries, or network endpoints).

ℹ

Instruction Scope

The SKILL.md and references explicitly instruct the agent to clone repositories, checkout PR branches, modify files, commit, push, post replies, and resolve review threads via gh API/GraphQL. That is within the 'addressing reviews' mode, but it grants the skill permission to make and push changes to repositories and to mark threads resolved. Users should be aware that addressing mode is not read-only: it performs write operations on the target repo.

✓

Install Mechanism

Instruction-only skill with no install spec and no bundled code. This minimizes disk-installed risk; it relies on the system-provided gh CLI and git being available.

ℹ

Credentials

No environment variables are declared, but the skill implicitly requires a configured gh/git environment (authenticated gh session or git credentials) with sufficient scopes to read/clone, comment, resolve threads, and push branches. The skill does not request unrelated credentials, but users must ensure the agent's GitHub credential/token has appropriate (least-privilege) scopes before use.

ℹ

Persistence & Privilege

always:false (good). The skill can perform autonomous actions (disable-model-invocation:false is normal), and those actions include pushing commits and resolving threads. If the agent is allowed to invoke skills autonomously, this write capability increases blast radius — consider requiring user confirmation before making push/resolve operations or restricting the skill to review-only for less risk.

Assessment

This skill is coherent for reviewing and addressing PRs, but it will make changes: it clones repos, edits files, commits, pushes, posts replies, and resolves threads using the gh CLI. Before installing/using: (1) ensure the environment running the agent has gh and git installed and a GitHub login configured; (2) verify the GitHub token/credentials used by gh have the minimum scopes needed (repo access only as required) and are not organization-wide admin tokens; (3) prefer using review-only (giving reviews) unless you explicitly want the agent to push fixes — test addressing-mode on a fork or test repo first; (4) if you plan to allow autonomous invocation, require an approval step before any push/merge/resolve actions; (5) audit commits/pushes created by the agent and rotate tokens if unexpected changes occur.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b8f0w0e6gmymswp15hcw5fs84xd35

72downloads

2stars

1versions

Updated 1w ago

v0.1.0

MIT-0

Structured PR Review

Two modes: giving reviews and addressing review comments. No external dependencies — uses gh CLI only.

Giving Reviews

When asked to review or check a PR:

Fetch the PR details and full diff
Walk through each review layer in order (see references/review-layers.md):
- Security — secrets, injection, auth, exposure
- Correctness — logic errors, edge cases, error handling
- Conventions — team standards (customize via references/conventions.md)
- IaC — Terraform/CloudFormation checks (customize via references/iac-checklist.md)
- Testing — coverage, new code has tests
Produce a structured verdict with severity tiers

Key principles:

Be direct — "this approach has problems" beats "interesting choice"
Every issue includes what to fix, not just what's wrong
Acknowledge what the PR does well
When in doubt on severity, go one level lower

See references/review-layers.md for the full framework and verdict format.

Addressing Review Comments

When asked to address, fix, or respond to PR feedback:

Fetch all review comments (inline + review-level)
Fix each issue or document why not
Reply to every comment — none left unacknowledged
Resolve threads, update PR description, push

See references/addressing-workflow.md for the step-by-step workflow.

Key rules:

Never leave comments unacknowledged — reply to every one
Always update the PR description after making changes
Verify the PR is actually merged before closing linked issues

Customization

This skill ships with generic review layers. Customize for your team:

references/conventions.md — coding conventions, commit format, naming rules. Ships with common defaults — customize for your team.
references/iac-checklist.md — add your IaC-specific checks (required tags, allowed regions, provider pins). Ships with common Terraform patterns — extend for your org.

References

references/review-layers.md — review framework, severity tiers, verdict format
references/addressing-workflow.md — comment handling, thread resolution
references/conventions.md — your team's conventions (customizable)
references/iac-checklist.md — IaC review checklist (customizable)

Works Well With

terraform-skill (antonbabenko) — Terraform authoring best practices, module patterns, testing strategies
conventional-commits — commit message format conventions (useful when addressing reviews)
github (built-in) — general gh CLI operations for PRs, issues, and CI runs
gh-issues (built-in) — automated PR monitoring and review spawning

Comments

Loading comments...