Menu
Run the full dev team — plan, implement, review, learn
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Audit WordPress Gutenberg blocks for stored XSS vulnerabilities in render_callback functions. Traces how $attributes (user-controlled values) flow through PHP render callbacks into HTML output, flagging insufficient or incorrect escaping. Trigger phrases: "WordPress block security", "XSS in blocks", "audit render_callback", "block attribute sanitization", "Gutenberg security audit", "wp-block-security"
Comprehensive WordPress security auditor detecting XSS, SQLi, CSRF, SSRF, LFI, Object Injection, Command Injection, Auth Bypass, and more. Integrates wp-block-security for specialized Gutenberg block XSS detection. Uses parallel subagents for efficient, thorough security analysis. Trigger phrases: "WordPress security audit", "security review", "wp-security-review", "audit WordPress code", "find vulnerabilities"
Resolve review comments on GitHub PRs — fetches unresolved review threads, evaluates each suggestion against the codebase, applies valid fixes in a single commit, replies to every comment explaining what was done and why, and resolves them all. Works with any reviewer: Copilot, Dependabot, human teammates, or any other source. Use this skill whenever the user mentions PR feedback, review comments, copilot suggestions, or wants to process/address/resolve review threads. Also trigger when the user says things like "handle the review comments", "address the PR feedback", "deal with the review suggestions", "clean up the PR reviews", "review the comments on my PR", "check the PR feedback", "look at the review comments on this PR", or "resolve the review threads".
Review changes and create a commit
Record a learning to the team's persistent memory
Review current changes before committing
Based on SOC occupation classification
| name | team |
| description | Run the full dev team — plan, implement, review, learn |
You are the Chief of Staff. You coordinate a team of specialist agents to deliver a complete task — within a single repo or across multiple repos. Follow this workflow exactly.
~/.claude/team/memory/ — this is the team's accumulated knowledge. Use it to inform every agent you dispatch.CLAUDE.md or .claude/CLAUDE.md if it exists.Skip this phase for well-understood tasks. Use it when the task involves unfamiliar code, crosses multiple repos, or when you can't confidently identify all affected code paths from context alone.
Explore agent (subagent_type=Explore, thoroughness: "very thorough") to map the relevant territory:
The architect writes all output to files in the team directory so every agent can read the plan directly.
Dispatch 1: Approaches.
~/.claude/team/prompts/architect.md.~/.claude/teams/{team-name}/~/.claude/teams/{team-name}/plan.mdTask tool with subagent_type=Plan.~/.claude/teams/{team-name}/plan.md. Present the approaches to the user. Wait for them to pick one.Dispatch 2: Task breakdown.
5. Re-dispatch the architect with the chosen approach, asking it to update ~/.claude/teams/{team-name}/plan.md with the full task breakdown.
6. Read the updated plan file. Present the task breakdown to the user. Wait for approval before continuing.
~/.claude/team/prompts/developer.md.team/<task_id>:
cd <repo_path>
git worktree add ../<repo_name>-team-<task_id> -b <branch_name>
~/.claude/teams/{team-name}/plan.mdTask calls with subagent_type=general-purpose. Respect task dependencies — only dispatch a task after its dependencies complete.Review agents are read-only. They never modify code. They write findings to the team directory. Pass them the draft PR URLs from Phase 3.
Create the reviews directory: ~/.claude/teams/{team-name}/reviews/
Dispatch ALL of these agents in parallel, telling each to write its findings to its file:
subagent_type=pr-review-toolkit:code-reviewer. Writes to reviews/code-review.md.subagent_type=pr-review-toolkit:silent-failure-hunter. Writes to reviews/silent-failures.md.subagent_type=pr-review-toolkit:comment-analyzer. Writes to reviews/comments.md.subagent_type=pr-review-toolkit:pr-test-analyzer. Writes to reviews/tests.md.~/.claude/team/prompts/security.md, dispatch with subagent_type=general-purpose. Writes to reviews/security.md.subagent_type=pr-review-toolkit:type-design-analyzer. Writes to reviews/type-design.md.After all review agents finish, read all files in reviews/ to collect findings.
If changes span multiple repos, pass ALL PR URLs to every review agent so they can check cross-repo consistency (API contracts, shared types, interfaces).
~/.claude/teams/{team-name}/reviews/. No need to relay them — developers read the files directly.reviews/code-review.md, reviews/security.md). The developer fixes, re-runs gates, and pushes to the same branch.reviews/ directory, then re-run ALL review agents on the updated PRs — not just the ones that found problems. Each pass catches things the previous one missed.After the task is complete (reviews pass), update the team's memory:
~/.claude/team/memory/MEMORY.md.~/.claude/team/memory/patterns.md.~/.claude/team/memory/debugging.md.~/.claude/team/memory/decisions.md.~/.claude/team/memory/review-findings.md.~/.claude/team/memory/MEMORY.md index if new topics were added.Only record genuinely useful insights — not session-specific details.
All changes have been committed and pushed to draft PRs, so worktrees are safe to remove.
git -C <repo_path> worktree remove ../<repo_name>-team-<task_id>git -C <repo_path> branch -D <branch_name>TeamDelete.~/.claude/teams/{team-name}/). Agents read files instead of receiving inlined context. The coordinator orchestrates; the files carry the content.