PR Review Loop
v1.0.0Autonomous PR review loop with Greptile. Use when an agent creates a PR and needs to autonomously handle code review feedback — reading Greptile reviews, fixing issues, pushing fixes, re-triggering review, and auto-merging when score is 4/5+. Trigger on commands like "pr review {url}", "review my PR", or when a Greptile review webhook/poll delivers feedback.
⭐ 0· 773·3 current·3 all-time
byCem S@cemoso
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (autonomously reading Greptile reviews, applying fixes, pushing, re-triggering reviews, and merging) matches the SKILL.md and the included script. However, the package metadata declares no required binaries or credentials even though the workflow and scripts clearly rely on gh (GitHub CLI), git, jq, grep/flock and an authenticated GitHub identity capable of pushing/merging. This omission is an incoherence that affects safety decisions.
Instruction Scope
SKILL.md and the script instruct the agent to read files/lines referenced by reviewer comments, modify code, commit, push, and auto-merge under heuristics (including force_merge after max rounds). That behavior is within the stated purpose but grants broad autonomous write/merge authority and discretionary fixes. The doc also says to 'ping Master on Telegram' for escalations but provides no mechanism or declared credentials for doing so.
Install Mechanism
There is no install spec (instruction-only + small script), which is lower risk from arbitrary downloads. However, required runtime tools (gh, jq, git, flock) are expected but not declared or installed; the skill assumes they exist on PATH.
Credentials
The skill implicitly requires a GitHub-authenticated environment (GH CLI auth or GITHUB_TOKEN) with push/merge rights for target repos, but no required env vars or primary credential are declared. It also references Telegram for escalation without declaring how to authenticate. Requesting or expecting high-privilege repo credentials without declaring them is disproportionate and should be made explicit.
Persistence & Privilege
always:false (good). The skill stores review-state.json in the workspace (benign). Nevertheless, its runtime operations (commits, pushes, merges, branch deletion) require significant repository privileges; consider restricting tokens/scopes and human oversight for architectural/force-merge cases.
What to consider before installing
Before installing: 1) Confirm that the agent environment will have gh (GitHub CLI), git, jq, and flock available; the skill does not declare these dependencies. 2) Carefully plan GitHub credentials: the skill needs an authenticated identity with push/merge rights — only grant the minimum scopes and prefer a repo-scoped service account or installation token. 3) Decide and enforce merge policy: the script auto-merges on heuristics (score≥4, or force-merge after 5 rounds or same score repeats) — if you want human approval for merges or architectural changes, disable autonomous merges or require escalation. 4) Provide/inspect escalation channels: SKILL.md mentions Telegram but provides no auth mechanism; clarify how alerts are sent and what credentials are involved. 5) Test in a sandbox repository first to ensure behavior matches expectations. 6) If the skill owner is unknown/trust is low, consider requiring manual invocation only (do not allow autonomous invocation) or review the code thoroughly. Additional information that would raise confidence to 'benign': explicit declared runtime requirements (binaries and env vars), a known/trusted source, and clear, limited GitHub token scope and an audited escalation mechanism.Like a lobster shell, security has layers — review code before you run it.
latest
PR Review Loop
Autonomous cycle: Greptile reviews PR → agent fixes feedback → pushes → re-triggers → repeats until score ≥ 4/5 or max rounds.
Quick Start
When triggered with a PR URL or review payload:
# Run the review loop
bash scripts/pr-review-loop.sh <owner/repo> <pr-number>
Or invoke steps manually — see below.
Workflow
1. Fetch Review
# Get latest Greptile review
gh api "/repos/{owner}/{repo}/pulls/{pr}/reviews" \
--jq '[.[] | select(.user.login == "greptile-apps[bot]")] | last'
# Get inline comments
gh api "/repos/{owner}/{repo}/pulls/{pr}/comments" \
--jq '[.[] | select(.user.login == "greptile-apps[bot]")]'
2. Parse Score
Look for confidence/quality score in review body. Greptile typically includes a score like Score: X/5 or Confidence: X/5. Extract it:
- Score ≥ 4/5 → auto-merge
- Score < 4/5 → fix issues
- No score found → treat as needing fixes if there are comments, otherwise merge
3. Auto-Merge (score ≥ 4)
gh pr merge <number> --merge --delete-branch --repo <owner/repo>
4. Fix Issues (score < 4)
For each Greptile comment:
- Read the file and line referenced
- Understand the feedback
- Apply the fix
- Stage changes
Commit with a descriptive message listing each fix:
Address Greptile review feedback (round N)
- Fix X in path/to/file.ts
- Fix Y in path/to/other.ts
- Improve Z per reviewer suggestion
Push and re-trigger:
git push
gh pr comment <number> --repo <owner/repo> --body "@greptileai review"
5. Track State
Maintain review-state.json in workspace:
{
"owner/repo#123": {
"rounds": 2,
"maxRounds": 5,
"lastScore": 3,
"sameScoreCount": 1
}
}
Update after each round. Check exit conditions:
- rounds ≥ 5 → merge anyway, notify Master
- sameScoreCount ≥ 2 (same score 2 rounds in a row) → merge anyway, notify Master
6. Escalation
- Architectural decisions (review mentions architecture, design patterns, breaking changes) → ping Master on Telegram, don't auto-fix
- Max rounds reached → merge + notify Master with summary
- Unclear feedback → ask Master
Command Interface
Agents should respond to:
pr review <url>— start review loop on a PRpr review <owner/repo#number>— same, by referencepr status— show active review loops and their state
References
See references/greptile-patterns.md for common Greptile feedback patterns and fix strategies.
Comments
Loading comments...