// Review a new or open pull request for this repository with an adversarial security and quality lens. Use when the user says "/pr", "/pr-review", "check the new PR", "is this PR safe to merge", "look for malicious code", "review outside contribution", "should I merge this PR", or asks for reasons not to merge a pull request.
Post a standard update comment to a GitHub issue that is already in the chat context. Use when the user says "/post-update", asks to update an issue after a fix has landed, or wants issue participants told that the fix will be in the next release and invited to leave feedback once they can test it.
Reimagine this repository from first principles using the current product and user experience as the target. Use when the user says "/expert-reset", asks how the project should be rebuilt if starting again, wants bold architecture or component-structure recommendations, or wants a research-only reset plan unconstrained by current implementation details.
Provide an expert codebase review for this repository. Use when the user says "/expertreview", asks for an expert review, wants refactoring or codebase improvement recommendations, wants consistency and quality assessed, or asks how to reduce duplication, improve component use, preserve the end-user experience, and keep upgrades cleanly migratable.
Alias for the repository pull request review workflow. Use when the user says "/pr-review" or asks to review a newly submitted or open GitHub pull request, document what changed, evaluate code quality, security and integration risk, run the relevant local checks, and recommend whether to merge, request improvements, or hold.
Summarize user-facing project changes from the last 7 days. Use when the user says "/updates", asks for recent updates, wants a changelog-style summary, or wants the most important feature changes from the past week.
| name | pr |
| description | Review a new or open pull request for this repository with an adversarial security and quality lens. Use when the user says "/pr", "/pr-review", "check the new PR", "is this PR safe to merge", "look for malicious code", "review outside contribution", "should I merge this PR", or asks for reasons not to merge a pull request. |
Assess a pull request before merge. Focus on bugs, suspicious behavior, malicious code, supply-chain risk, broken project conventions, missing tests, and any reason the repo owner should wait before merging.
Default to review only. Do not merge, push fixes, approve the PR, or close linked issues unless the user explicitly asks. The repo owner wants to test changes before issues are closed.
Use the PR number or URL if the user provides one. Otherwise inspect open PRs and review the newest one, clearly saying that assumption.
Prefer GitHub connector tools when available. Otherwise use gh:
gh pr list --state open --limit 10 \
--json number,title,author,createdAt,updatedAt,isCrossRepository,headRefName,baseRefName,url
gh pr view <number> \
--json number,title,author,body,baseRefName,headRefName,isCrossRepository,files,commits,mergeStateStatus,statusCheckRollup,reviews,url
gh pr diff <number> --name-only
gh pr diff <number> --patch
Record the PR title, author, URL, base branch, source branch, whether it comes from a fork, changed files, diff size, existing CI state, and whether it touches release, firmware, workflow, dependency, generated, or web delivery paths.
Check the working tree before checkout or tests:
git status --short --branch
If there are local changes, do not overwrite or revert them. Review with
gh pr diff when possible. Ask before checking out a PR if local changes might
be affected.
Treat outside contributions and dependency/workflow changes as higher risk until they are understood. Look especially for:
pull_request_target,
unpinned third-party actions, or changed release credentialsDo not accuse the contributor of intent unless there is direct evidence. Say "suspicious", "high risk", or "could allow" when intent is unknown.
Read the PR description, changed files, and surrounding code. Classify the change so checks match the affected area:
Prioritize merge-blocking defects and practical risk over style comments.
Run checks relevant to the changed files. Explain skipped checks plainly.
Common checks:
npm run check:config
python3 scripts/build.py --check
python3 scripts/generate_device_slots.py --check
python3 scripts/check_icon_groups.py
python3 scripts/check_timezones.py
npm run docs:build
npm audit --json
Use the compile skill when firmware, common YAML, device YAML, or C++ changes
could affect firmware builds and the user wants merge-level confidence.
Choose exactly one recommendation:
Lead with findings when there are bugs or risks. Keep the explanation approachable for a technical non-developer.
Recommendation: <merge / merge after small fixes / request changes / hold>
What changed:
- <plain-English summary>
Findings:
- <severity, file/line, issue, impact, suggested fix>
Security and trust notes:
- <malicious-code, supply-chain, workflow, secret, release, or external-call risk>
Checks run:
- <command>: <pass/fail/skipped and why>
Questions or decisions:
- <only if needed>
If there are no findings, say that clearly and name any checks not run or residual risk that still remains.