← Back to Skills Marketplace
65
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install nm-sanctum-pr-review
Description
Scope-focused PR review with requirements validation and backlog triage
Usage Guidance
This skill appears to be a well-documented PR-review playbook, but before installing: (1) confirm the runtime environment provides the CLI tools it assumes (gh or glab, git, jq, python and standard Unix tools). (2) Understand which credentials will be used — gh/gh auth or environment tokens (GH_TOKEN/GITLAB_TOKEN) are required to post comments; ensure any token granted has minimal scopes (repo:status/comments/PR write as needed). (3) Review what the declared config paths (night-market.* and memory-palace) map to in your agent/platform — verify they do not expose additional secrets you don't intend to share. (4) If you need stricter auditing, ask the publisher to explicitly declare required binaries and credential variables and to explain where captured knowledge is stored and who can access it. These clarifications would change this assessment to benign if provided.
Capability Analysis
Type: OpenClaw Skill
Name: nm-sanctum-pr-review
Version: 1.0.0
The skill bundle provides a comprehensive PR review framework that relies heavily on executing shell commands via the GitHub (gh) and GitLab (glab) CLIs. While the functionality is aligned with the stated purpose of code review and backlog triage, the inclusion of complex shell pipelines in SKILL.md, modules/pr-hygiene.md, and modules/version-validation.md creates a significant attack surface. Specifically, the scripts process untrusted input from PR metadata (e.g., branch names, commit messages, and file contents) using tools like awk, sed, and grep, which could lead to shell injection or unintended command execution if the AI agent does not strictly sanitize the environment. No evidence of intentional malice, such as data exfiltration or backdoors, was detected.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description match a PR-review helper and the declared required config paths (night-market.*) align with that purpose. However, the SKILL.md assumes presence of tools like gh, git, jq, grep/sed/awk and Python libraries (memory_palace.*) and the ability to post comments via GitHub/GitLab. The registry metadata lists no required binaries and no primary credential — that is inconsistent with the instructions which rely on authenticated CLI/network access.
Instruction Scope
The SKILL.md is instruction-heavy and stays within PR review behavior: it reads repository files (specs, package files, CHANGELOG, README), diffs, and posts comments/reviews to GitHub/GitLab. It also includes knowledge-capture steps that create entries in a 'memory-palace' project store. These actions are within the stated purpose, but they will read repository contents and transmit findings to remote services (GitHub via gh) and to project-palace storage — make sure you expect those transmissions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing will be downloaded or written by an installer step from the skill bundle itself (lowest install risk).
Credentials
The skill does not declare any environment variables or credentials, yet it expects to call gh/glab and to access Git remotes and possibly to invoke Python modules that interact with a 'project palace'. In practice gh/gh auth or GITHUB_TOKEN (or equivalent GitLab tokens) are required to post reviews and comments; these credentials are not declared. The required config paths are present and may be intended to supply platform-specific settings, but it's unclear whether they carry credentials or only metadata.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request permanent platform-wide presence or attempt to modify other skills. Knowledge-capture actions imply writing to a project-specific store (memory-palace) which is within its described domain and matches the declared config paths; this is expected behavior for a review/knowledge-capture tool.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nm-sanctum-pr-review - After installation, invoke the skill by name or use
/nm-sanctum-pr-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the scope-focused PR review skill.
- Provides structured pull/merge request review focused on requirements validation and backlog triage.
- Includes a scope classification framework to categorize findings: BLOCKING, IN-SCOPE, SUGGESTION, BACKLOG, IGNORE.
- Outlines a detailed, phase-based review workflow: establish scope, gather changes, validate requirements, check versions, review code, triage backlog, and capture knowledge.
- Automatically detects and integrates with GitHub or GitLab for platform-specific actions.
- Emphasizes preventing scope creep and routing out-of-scope issues to the backlog.
Metadata
Frequently Asked Questions
What is Nm Sanctum Pr Review?
Scope-focused PR review with requirements validation and backlog triage. It is an AI Agent Skill for Claude Code / OpenClaw, with 65 downloads so far.
How do I install Nm Sanctum Pr Review?
Run "/install nm-sanctum-pr-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nm Sanctum Pr Review free?
Yes, Nm Sanctum Pr Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Nm Sanctum Pr Review support?
Nm Sanctum Pr Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nm Sanctum Pr Review?
It is built and maintained by athola (@athola); the current version is v1.0.0.
More Skills