read-only-gh-pr-review

The skill presents a coherent, read-only PR review workflow that aligns with its stated purpose. It relies on the GitHub CLI in a read-only context and local repository analysis, avoiding write actions or credential harvesting. Trust sources are official tooling (gh CLI) and a documented read-only wrapper. Data flows stay within the user's environment and GitHub API, with no mutation or exfiltration mechanisms described. Overall risk is low to moderate (benign), with attention to ensuring the read-only wrapper cannot be bypassed and that logs do not inadvertently leak sensitive PR data.