← 返回 Skills 市场

Nm Sanctum Pr Review

Name: Nm Sanctum Pr Review
Author: athola

作者 athola · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install nm-sanctum-pr-review

功能描述

Scope-focused PR review with requirements validation and backlog triage

安全使用建议

This skill appears to be a well-documented PR-review playbook, but before installing: (1) confirm the runtime environment provides the CLI tools it assumes (gh or glab, git, jq, python and standard Unix tools). (2) Understand which credentials will be used — gh/gh auth or environment tokens (GH_TOKEN/GITLAB_TOKEN) are required to post comments; ensure any token granted has minimal scopes (repo:status/comments/PR write as needed). (3) Review what the declared config paths (night-market.* and memory-palace) map to in your agent/platform — verify they do not expose additional secrets you don't intend to share. (4) If you need stricter auditing, ask the publisher to explicitly declare required binaries and credential variables and to explain where captured knowledge is stored and who can access it. These clarifications would change this assessment to benign if provided.

功能分析

Type: OpenClaw Skill Name: nm-sanctum-pr-review Version: 1.0.0 The skill bundle provides a comprehensive PR review framework that relies heavily on executing shell commands via the GitHub (gh) and GitLab (glab) CLIs. While the functionality is aligned with the stated purpose of code review and backlog triage, the inclusion of complex shell pipelines in SKILL.md, modules/pr-hygiene.md, and modules/version-validation.md creates a significant attack surface. Specifically, the scripts process untrusted input from PR metadata (e.g., branch names, commit messages, and file contents) using tools like awk, sed, and grep, which could lead to shell injection or unintended command execution if the AI agent does not strictly sanitize the environment. No evidence of intentional malice, such as data exfiltration or backdoors, was detected.

能力标签

cryptocan-make-purchases

能力评估

⚠ Purpose & Capability

The name/description match a PR-review helper and the declared required config paths (night-market.*) align with that purpose. However, the SKILL.md assumes presence of tools like gh, git, jq, grep/sed/awk and Python libraries (memory_palace.*) and the ability to post comments via GitHub/GitLab. The registry metadata lists no required binaries and no primary credential — that is inconsistent with the instructions which rely on authenticated CLI/network access.

ℹ Instruction Scope

The SKILL.md is instruction-heavy and stays within PR review behavior: it reads repository files (specs, package files, CHANGELOG, README), diffs, and posts comments/reviews to GitHub/GitLab. It also includes knowledge-capture steps that create entries in a 'memory-palace' project store. These actions are within the stated purpose, but they will read repository contents and transmit findings to remote services (GitHub via gh) and to project-palace storage — make sure you expect those transmissions.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files. Nothing will be downloaded or written by an installer step from the skill bundle itself (lowest install risk).

⚠ Credentials

The skill does not declare any environment variables or credentials, yet it expects to call gh/glab and to access Git remotes and possibly to invoke Python modules that interact with a 'project palace'. In practice gh/gh auth or GITHUB_TOKEN (or equivalent GitLab tokens) are required to post reviews and comments; these credentials are not declared. The required config paths are present and may be intended to supply platform-specific settings, but it's unclear whether they carry credentials or only metadata.

✓ Persistence & Privilege

always:false and user-invocable:true. The skill does not request permanent platform-wide presence or attempt to modify other skills. Knowledge-capture actions imply writing to a project-specific store (memory-palace) which is within its described domain and matches the declared config paths; this is expected behavior for a review/knowledge-capture tool.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install nm-sanctum-pr-review
安装完成后，直接呼叫该 Skill 的名称或使用 /nm-sanctum-pr-review 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of the scope-focused PR review skill. - Provides structured pull/merge request review focused on requirements validation and backlog triage. - Includes a scope classification framework to categorize findings: BLOCKING, IN-SCOPE, SUGGESTION, BACKLOG, IGNORE. - Outlines a detailed, phase-based review workflow: establish scope, gather changes, validate requirements, check versions, review code, triage backlog, and capture knowledge. - Automatically detects and integrates with GitHub or GitLab for platform-specific actions. - Emphasizes preventing scope creep and routing out-of-scope issues to the backlog.

元数据

Slug nm-sanctum-pr-review

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题

Nm Sanctum Pr Review 是什么？

Scope-focused PR review with requirements validation and backlog triage. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 65 次。

如何安装 Nm Sanctum Pr Review？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install nm-sanctum-pr-review」即可一键安装，无需额外配置。

Nm Sanctum Pr Review 是免费的吗？

是的，Nm Sanctum Pr Review 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Nm Sanctum Pr Review 支持哪些平台？

Nm Sanctum Pr Review 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Nm Sanctum Pr Review？

由 athola（@athola）开发并维护，当前版本 v1.0.0。