Description

Pre-landing PR review. Analyzes diff against the base branch for SQL safety, LLM trust boundary violations, conditional side effects, and other structural is...

README (SKILL.md)

AskUserQuestion Format

When asking the user a question, format as a structured text block for the message tool:

Re-ground: State the project, current branch, and the current plan/task. (1-2 sentences)
Simplify: Plain English a smart 16-year-old could follow. Concrete examples. Say what it DOES.
Recommend: RECOMMENDATION: Choose [X] because [one-line reason]. Include Completeness: X/10.
Options: A) ... B) ... C) ...

Completeness Principle — Boil the Lake

AI-assisted coding makes marginal cost of completeness near-zero:

If Option A is complete and Option B saves modest effort — always recommend A.
Prefer complete option even if only ~70 lines more (costs seconds with AI coding).

Completion Status Protocol

DONE — All steps completed.
DONE_WITH_CONCERNS — Completed with issues to note.
BLOCKED — Cannot proceed.
NEEDS_CONTEXT — Missing info.

Step 0: Detect base branch

gh pr view --json baseRefName -q .baseRefName
If no PR: gh repo view --json defaultBranchRef -q .defaultBranchRef.name
Fall back to main.

Pre-Landing PR Review

Name: Review
Author: loocor

Analyze the current branch's diff against the base branch for structural issues that tests don't catch.

Step 1: Check branch

git branch --show-current — if on base branch, output "Nothing to review — you're on the base branch" and stop.
git fetch origin \x3Cbase> --quiet && git diff origin/\x3Cbase> --stat — if no diff, stop.

Step 1.5: Scope Drift Detection

Read TODOS.md (if exists). Read PR description: gh pr view --json body --jq .body 2>/dev/null || true. Read commit messages: git log origin/\x3Cbase>..HEAD --oneline.
Identify stated intent — what was this branch supposed to accomplish?
Run git diff origin/\x3Cbase> --stat and compare files changed against stated intent.

Evaluate:

SCOPE CREEP: Files unrelated to intent, new features not in plan, "while I was in there" changes.
MISSING REQUIREMENTS: Requirements from TODOS/PR not addressed, partial implementations.

Output before main review:

Scope Check: [CLEAN / DRIFT DETECTED / REQUIREMENTS MISSING]
Intent: \x3C1-line summary of what was requested>
Delivered: \x3C1-line summary of what diff actually does>
[If drift: list each out-of-scope change]
[If missing: list each unaddressed requirement]

Step 2: Read the checklist

Read .claude/skills/review/checklist.md. If cannot be read, STOP and report error.

Step 3: Get the diff

git fetch origin \x3Cbase> --quiet
git diff origin/\x3Cbase>

Step 4: Two-pass review

Apply checklist in two passes:

Pass 1 (CRITICAL): SQL & Data Safety, Race Conditions & Concurrency, LLM Output Trust Boundary, Enum & Value Completeness
Pass 2 (INFORMATIONAL): Conditional Side Effects, Magic Numbers & String Coupling, Dead Code & Consistency, LLM Prompt Issues, Test Gaps, View/Frontend

Enum & Value Completeness requires reading code OUTSIDE the diff. When the diff introduces a new enum value, grep all files referencing sibling values, then check if new value is handled.

Step 4.5: Design Review (conditional)

Check if diff touches frontend files using native shell:

SCOPE_FRONTEND=false
git fetch origin "\x3Cbase>" --quiet 2>/dev/null
for ext in ts tsx js jsx vue svelte css scss less sass styl pcss postcss png jpg jpeg gif svg webp ico woff woff2 ttf eot; do
  if git diff origin/"\x3Cbase>" --name-only 2>/dev/null | grep -qiE "\.${ext}$"; then
    SCOPE_FRONTEND=true
    break
  fi
done

If SCOPE_FRONTEND=false: Skip silently.

If SCOPE_FRONTEND=true:

Read DESIGN.md or design-system.md if exists.
Read .claude/skills/review/design-checklist.md. If not found, skip with note.
Read each changed frontend file (full file, not just diff hunks).
Apply design checklist. Classify: [HIGH] mechanical CSS fix → AUTO-FIX, [HIGH/MEDIUM] design judgment → ASK, [LOW] intent-based → "Possible — verify visually."
Include findings in review output under "Design Review" header.
Log result for Review Readiness Dashboard.

Step 5: Fix-First Review

Output: Pre-Landing Review: N issues (X critical, Y informational)

5a: Classify each finding

AUTO-FIX or ASK per Fix-First Heuristic in checklist.md.

5b: Auto-fix all AUTO-FIX items

Apply each fix directly. Output one-line summary per fix: [AUTO-FIXED] [file:line] Problem → what you did

5c: Batch-ask about ASK items

If ASK items remain, present in ONE question:

List each with number, severity label, problem, recommended fix
Options: A) Fix as recommended B) Skip
Include overall RECOMMENDATION

If 3 or fewer ASK items, individual questions allowed.

5d: Apply user-approved fixes

Output what was fixed. If no ASK items, skip question entirely.

Verification of claims

If claiming "this pattern is safe" → cite specific line proving safety
If claiming "handled elsewhere" → read and cite handling code
If claiming "tests cover this" → name test file and method
Never say "likely handled" or "probably tested" — verify or flag as unknown.

Step 5.5: TODOS cross-reference

Read TODOS.md. Cross-reference PR against open TODOs:

Does this PR close any open TODOs? Note which.
Does this PR create work that should become a TODO? Flag as informational.
Are there related TODOs providing context for this review? Reference them.

Step 5.6: Documentation staleness check

For each .md file in repo root:

Check if code changes in diff affect features described in that doc.
If doc NOT updated but code it describes WAS changed → INFORMATIONAL: "Documentation may be stale: [file] describes [feature] but code changed in this branch."

Step 5.7: Codex review (optional)

Check if Codex CLI is available:

which codex 2>/dev/null && echo "CODEX_AVAILABLE" || echo "CODEX_NOT_AVAILABLE"

If CODEX_NOT_AVAILABLE: skip silently.

If available, send via message tool:

Codex is an independent code review tool from OpenAI. Want an adversarial challenge of this plan?

Options: A) Yes — let Codex critique the plan B) No — proceed without Codex

If user chooses A, use the browser tool to open the plan file and describe the approach. Codex can be invoked via codex exec if installed locally.

Important Rules

Read the FULL diff before commenting.
Fix-first, not read-only. AUTO-FIX applied directly. ASK items need user approval.
Be terse. One line problem, one line fix. No preamble.
Only flag real problems.

Usage Guidance

This skill is coherent with a PR review purpose but has important mismatches and risky behaviors to consider before installing: - It uses many command-line tools (git, gh, grep, jq, etc.) but the skill metadata declares no required binaries. Expect failures or silent assumptions if those CLIs are absent — the publisher should list them. - The instructions perform network operations (git fetch origin/<base>) and use the GitHub CLI; those will use whatever credentials are configured in the user's environment (gh auth, git remotes). The skill doesn't declare or request authorization, so confirm you are comfortable with the tool using your existing CLI auth/session. - The SKILL.md includes AUTO-FIX steps that modify files directly. Ask the publisher to clarify whether the agent will always write changes automatically, and request a confirm-before-write option. Prefer an explicit prompt that shows edits and requires approval before applying them. - The skill expects repo-specific checklist files (.claude/skills/review/checklist.md, design-checklist.md). If these don't exist the skill may stop or behave unexpectedly; check the repository for these files or request fallback behavior. Before installing or enabling this skill, ask the publisher to 1) declare required binaries and their minimum versions, 2) document that it uses existing GH/Git auth and what it will access, and 3) add an explicit confirmation step for any in-place changes (or make auto-fixes opt-in). If you cannot verify those, treat the skill as potentially dangerous for automated write operations.

Capability Analysis

Type: OpenClaw Skill Name: gstack-review Version: 1.0.0 The skill bundle defines a structured workflow for performing automated PR reviews, including scope drift detection, SQL safety checks, and design consistency audits. It utilizes standard development tools such as git and the GitHub CLI (gh) to analyze repository state and diffs. The instructions in SKILL.md are transparent, requiring user confirmation for non-trivial fixes and providing clear status protocols, with no evidence of data exfiltration, unauthorized execution, or malicious intent.

Capability Assessment

ℹ Purpose & Capability

The name/description (pre-landing PR review) align with the instructions (git/gh-based diff analysis, design checks, auto-fixes). However the skill metadata declares no required binaries or credentials even though the runtime instructions rely heavily on git, gh, grep, jq and shell tools. This omission is inconsistent and should be corrected.

⚠ Instruction Scope

Instructions read arbitrary repository files (TODOS.md, DESIGN.md, multiple checklists), run networked git fetches (origin/<base>), and explicitly perform AUTO-FIX operations that modify files in-place. While reading the repo is expected for a review tool, the explicit auto-apply behavior (apply fixes directly) means the agent will make changes to the user's working tree without an explicit metadata-level declaration or a required user-confirmation step in the metadata. The SKILL.md also assumes presence of files (.claude/skills/review/checklist.md) and will stop if they are missing, which is brittle.

✓ Install Mechanism

Instruction-only skill with no install spec — lowest risk of arbitrary code download. There is no installer to evaluate.

⚠ Credentials

The skill declares no required env vars or credentials, yet it uses the GitHub CLI (gh) and performs git fetch against remotes; those tools typically rely on local auth state (stored tokens/config). The skill should at minimum declare the dependency on gh/git and document that it will use existing CLI authentication. Lack of declared binaries/credentials is an inconsistency that could confuse users about what the skill will access.

ℹ Persistence & Privilege

always:false and autonomous invocation allowed (default). The main privacy concern is that the instructions include automatic in-place repo modifications (AUTO-FIX) and applying fixes after asking only for ASK items — this grants write privileges to the agent when invoked and should be made explicit to users and gated by confirmation.

Version History

v1.0.0

Initial release of the gstack-review skill for pre-landing PR assessment. - Analyzes git diffs for SQL safety, LLM trust boundaries, scope drift, missing requirements, and structural issues. - Implements a two-pass review with critical and informational checks, plus optional frontend and Codex review. - Applies fix-first workflow: auto-fixes clear issues, batches user questions for others. - Includes scope drift detection, TODO/documentation cross-referencing, and design review if frontend changes present. - Provides a structured protocol for completeness and clear user interaction flow.

Metadata

Slug gstack-review

Version 1.0.0

License MIT-0

All-time Installs 4

Active Installs 4

Total Versions 1

Frequently Asked Questions

What is Review?

Pre-landing PR review. Analyzes diff against the base branch for SQL safety, LLM trust boundary violations, conditional side effects, and other structural is... It is an AI Agent Skill for Claude Code / OpenClaw, with 134 downloads so far.

How do I install Review?

Run "/install gstack-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Review free?

Yes, Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Review support?

Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Review?

It is built and maintained by Loocor (@loocor); the current version is v1.0.0.

More Skills

Review