pr-ready
Ensures code quality by running CodeRabbit locally before PR creation, streamlining the review process and reducing CI wait times.
Install this skill
Security score
The pr-ready skill was audited on May 28, 2026 and we found 18 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 53 | ```bash |
Template literal with variable interpolation in command context
| 70 | ```bash |
Piping content to sh shell
| 40 | When the CLI is missing, the script does **not** use upstream's `curl … | sh` flow (which fetches `latest` and performs no integrity check). Instead it: |
Curl to non-GitHub URL
| 72 | curl -fsSL https://cli.coderabbit.ai/releases/latest/VERSION |
Access to hidden dotfiles in home directory
| 45 | 4. Extracts the single `coderabbit` binary to `~/.local/bin` and `chmod +x` it. |
Access to hidden dotfiles in home directory
| 60 | unzip -o /tmp/coderabbit.zip -d ~/.local/bin/ |
Access to hidden dotfiles in home directory
| 61 | chmod +x ~/.local/bin/coderabbit |
Access to hidden dotfiles in home directory
| 64 | If `coderabbit` is still not on `PATH` after install, ensure `~/.local/bin` is in `PATH` (`echo $PATH`, then add to your `~/.zshrc` / `~/.bashrc`). |
Access to hidden dotfiles in home directory
| 99 | 4. The CLI prints `Authenticated as <github-handle>` and writes a token to `~/.config/coderabbit/` (chmod 600). Don't commit or copy this file — it's tied to your personal account. |
Access to hidden dotfiles in home directory
| 192 | The skill maintains a gitignored local log at `~/.cache/lifi-contracts/pr-ready/findings.jsonl`. After classification (step 3), the agent appends one entry per finding: |
Access to hidden dotfiles in home directory
| 224 | The pre-PR gate (`.claude/scripts/pr-ready-gate.py`, or `~/.claude/scripts/pr-ready-gate.py` for the user-installed copy) requires this marker's mtime to be newer than `HEAD`'s commit timestamp; any n |
Access to hidden dotfiles in home directory
| 294 | - Pre-PR gate hook: `.claude/scripts/pr-ready-gate.py` (also installed at `~/.claude/scripts/pr-ready-gate.py` as a PreToolUse hook on Bash; blocks `gh pr create` / `gh pr ready` until the marker file |
Access to hidden dotfiles in home directory
| 295 | - Global rule: `~/.claude/CLAUDE.md` — "PR creation workflow" section. |
External URL reference
| 43 | 2. Downloads the pinned release artifact directly: `https://cli.coderabbit.ai/releases/<PINNED_VERSION>/coderabbit-<platform>.zip`. |
External URL reference
| 57 | URL="https://cli.coderabbit.ai/releases/${PIN}/coderabbit-${OS}-${ARCH}.zip" |
External URL reference
| 72 | curl -fsSL https://cli.coderabbit.ai/releases/latest/VERSION |
External URL reference
| 76 | URL="https://cli.coderabbit.ai/releases/<NEW_VERSION>/coderabbit-${plat}.zip" |
External URL reference
| 96 | 1. The CLI prints a one-time code and a URL (e.g. `https://app.coderabbit.ai/login/cli?code=ABCD-1234`) and opens your default browser. If the browser doesn't open automatically, copy the URL manually |