Git Pr Auditor

Professional-grade git diff auditor that identifies security vulnerabilities and code smells before you merge.

Install
cmdop skills install agensi-git-pr-auditor

Git PR Auditor is a skill that performs multi-layered analysis of git diffs to catch security and quality problems before code is merged. It works against staged changes, specific branches, or active GitHub Pull Requests, categorizing issues into three severity levels: Critical for security findings, Warning for quality problems, and Info for best-practice observations.

On the security side, the skill detects hardcoded secrets, SQL injection patterns, command injection risks, and XSS patterns. For code quality, it flags code smells such as magic numbers, swallowed errors, and leaked debug log statements. Structural analysis covers overly complex functions and missing documentation. The audit logic is applied per file type, with specialized checklists for backend code, frontend code, configuration files, and SQL.

The skill produces a standardized, machine-readable report, making it suitable as a first-pass reviewer in automated pipelines before a human reviewer sees the diff. It integrates with standard Git workflows and the GitHub CLI.

This skill is not an MCP server and exposes no callable tools to an agent runtime — it is a structured execution skill. It does not replace deep human code review for complex architectural decisions, and it requires access to the relevant git diff or GitHub Pull Request context to operate.

Use cases

  • Scan staged git changes for hardcoded secrets or injection vulnerabilities before committing
  • Audit a feature branch diff against a base branch for code smells and missing documentation
  • Run a first-pass security review on an open GitHub Pull Request
  • Detect risky shell=True calls or swallowed exceptions in backend code changes
  • Identify leaked debug log statements in frontend diffs before they reach production
  • Generate a machine-readable audit report for integration into a CI quality gate

When to use it

  • When an agent needs to review git diffs for security vulnerabilities prior to merge
  • When automating a first-pass code quality check across backend, frontend, config, or SQL changes
  • When the workflow involves GitHub Pull Requests and requires structured severity-level reporting
  • When catching issues like hardcoded credentials or magic numbers that human reviewers may overlook

When not to use it

  • When the task requires architectural or design-level code review beyond diff analysis
  • When no git diff or GitHub PR context is available to supply as input
  • When an MCP server with callable tools is needed — this is a skill, not an MCP server
  • When the project needs a full static analysis suite covering the entire codebase rather than changed lines only