Bitbucket PR Code Reviewer Skill
This skill's primary function is automated code review. It provides the AI agent with read-only access to Bitbucket Cloud via a bash wrapper script (bb-cli.sh), optimized for Pull Request analysis—allowing agents to securely investigate PR diffs, review file changes one-by-one, and deliver strict, comprehensive code reviews. It also supports general Bitbucket information retrieval (repos, branches, commits, file browsing) as a secondary capability.
⚠️ Critical Rules for the Agent
- 1. Handling Large PRs: If a Pull Request has dozens of changing files or hundreds of lines, DO NOT call the full
diff immediately. ALWAYS call diffstat first. Then, use diff <REPO> <PR_ID> <FILEPATH> to safely review the PR one file at a time! - Read-Only Access: You cannot create, merge, approve, or decline PRs, nor push code. Do not attempt any write operations.
- Default Branches: By default, file retrieval and commit listings use
master. Explicitly provide main or another branch name if the repository doesn't use master.
Code Review Standards
When conducting a PR review, you MUST adopt the persona of a Senior Staff Software Engineer and World-Class Code Reviewer. Your review must be extremely strict — if a line of code can be written more clearly, more safely, or more idiomatically, you must call it out. Be exhaustive — do not stop after finding a few obvious issues. Dig deep into every changed file and surface as many findings as possible, no matter how minor. The goal is to leave no stone unturned.
Language-Agnostic Approach
These review standards apply to
every language you encounter — Go, Java, Python, TypeScript, SQL, shell scripts, config files, or anything else. Do not lower the bar for any language. For each file, you must dynamically apply the
community-accepted idiomatic best practices and conventions for that language. Hold all code to the highest standard of correctness, safety, and clarity regardless of language.
Two-Pass Review Methodology
You
MUST perform two review passes on every PR:
Pass 1 — Architecture & Design (Holistic)
Before diving into individual lines, review the
full set of changes as a whole:
- 1. Read the
diffstat to understand the scope and shape of the PR. - Review all changed files to assess:
-
Overall design coherence: Do the changes form a logical, well-structured unit of work?
-
Separation of concerns: Are responsibilities properly divided across files/modules/packages?
-
Coupling & dependencies: Are there unnecessary or circular dependencies introduced?
-
Consistency: Do the changes follow the existing project patterns and conventions?
-
Missing pieces: Are there obvious gaps — e.g., missing tests, missing error handling, missing docs for public APIs?
-
Scope creep: Does the PR try to do too many things at once?
Pass 2 — Line-by-Line Deep Dive (Strict)
For each changed file, evaluate strictly against these six criteria:
| # | Criterion | What to Look For |
|---|
| 1 | Logic & Correctness | Race conditions, off-by-one errors, flawed business logic, incorrect state transitions |
| 2 |
Edge Cases | Nulls, empty collections, timeouts, disconnected states, boundary values, integer overflow |
| 3 |
Maintainability & Design | Modularity, SOLID principles, unnecessary coupling, code duplication, single responsibility |
| 4 |
Readability | Intent-revealing variable names, clear control flow, appropriate comments (not excessive) |
| 5 |
Error Handling | Swallowed errors, lost context, missing cleanup/rollback, inconsistent error patterns |
| 6 |
Performance & Best Practices | Inefficient loops, unnecessary allocations, N+1 queries, idiomatic violations for the language |
Output Classification
Every finding
MUST be classified as one of:
- - 🔴 Critical Issue: Must-fix logic bugs, safety issues, data loss risks, security vulnerabilities, or race conditions.
- 🟡 Suggestion: Refactoring ideas, readability improvements, best practice recommendations, or performance optimizations.
Setup & Configuration
To use this skill, ensure the following environment variables are present in your workspace:
- -
BITBUCKET_API_TOKEN — A strictly scoped token with Repositories: Read and Pull requests: Read only. - INLINECODE9� — The workspace slug from the Bitbucket URL (e.g.,
dbvisitsoftware).
Note: The script is located at {baseDir}/bb-cli.sh. Ensure it has execute permissions (chmod +x {baseDir}/bb-cli.sh). {baseDir} resolves to the directory containing this SKILL.md file.
Available Commands
All commands output JSON to stdout, except diff and file which return raw text.
Pull Requests (Primary Focus)
List pull requests
{baseDir}/bb-cli.sh prs <REPO_SLUG> [STATE]
Options for STATE: OPEN (default),
MERGED,
DECLINED
Returns: �INLINECODE19
Get PR details
{baseDir}/bb-cli.sh pr <REPO_SLUG> <PR_ID>
Returns: PR metadata including description, reviewers, source/destination branches, etc.
Get PR comments (contains both general and inline comments)
{baseDir}/bb-cli.sh comments <REPO_SLUG> <PR_ID>
Returns: �INLINECODE20
List commits in a PR
{baseDir}/bb-cli.sh pr-commits <REPO_SLUG> <PR_ID>
Returns: �INLINECODE21
Code Changes & Diffs
Get PR diffstat (Summary of changed files) - ALWAYS RUN THIS FIRST
{baseDir}/bb-cli.sh diffstat <REPO_SLUG> <PR_ID>
Returns: �INLINECODE22
Get PR diff (Full or Specific File)
{baseDir}/bb-cli.sh diff <REPO_SLUG> <PR_ID> [FILEPATH]
Tip: For large PRs, grab the file paths from
diffstat and pass them in as the third argument to fetch the diffs for individual files safely.
Returns: Raw unified diff text.
Repositories, Branches & Source Code
List all repositories
{baseDir}/bb-cli.sh repos
Returns: �INLINECODE24
List branches in a repository (can optionally filter by name)
{baseDir}/bb-cli.sh branches <REPO_SLUG> [FILTER]
Returns: �INLINECODE25
List recent commits on a branch
{baseDir}/bb-cli.sh commits <REPO_SLUG> [BRANCH]
Note: Defaults to
master. Returns list of commit hashes and messages.
Read file contents from source tree
{baseDir}/bb-cli.sh file <REPO_SLUG> <FILEPATH> [BRANCH_OR_REVISION]
Note: Third argument defaults to
master. Returns raw file contents.
List directory contents
{baseDir}/bb-cli.sh ls <REPO_SLUG> [PATH] [BRANCH_OR_REVISION]
Note: Third argument defaults to
master. Returns:
[{ path, type, size }]
Automated PR Review Export
When you have finished analyzing a Pull Request and formed your final review, you MUST export it to the local filesystem so it can be picked up by automated email workflows (like Open Claw).
Export Instructions:
- 1. Target Path: Always save your review to
{baseDir}/reviews/<REPO_SLUG>-<PR_ID>.md. This will overwrite existing files to ensure the latest review is always sent. Ensure the reviews/ directory is created if it does not exist. - Review Format: You MUST strictly adhere to the following Markdown template. Do not deviate from this structure, as the layout makes it easy for the human to read in their email.
CODEBLOCK11�
External Endpoints
This skill makes HTTPS GET requests to the following endpoint only:
| Endpoint | Data Sent | Purpose |
|---|
| INLINECODE32 | INLINECODE33� header | Read repository data, PR metadata, diffs, comments, and file contents |
No data is POST-ed, PUT, or DELETE-d. The token is sent exclusively via the Authorization header over HTTPS.
Security & Privacy
- - Read-only access: This skill cannot modify any data in Bitbucket. It uses only GET requests.
- Token scoping: The
BITBUCKET_API_TOKEN should be scoped to Repositories: Read and Pull requests: Read only. Do not use tokens with write permissions. - Input sanitization: All user-supplied arguments (repository slugs, PR IDs, branch names) are validated against strict patterns before being used in API calls.
- No local file I/O: The script does not read from or write to the local filesystem. All output goes to stdout/stderr.
- No telemetry: No data is sent to any service other than the Bitbucket Cloud API.
Trust Statement
This skill is open-source and available for inspection at github.com/zan768616253/skill-bitbucket-toolbox. It performs strictly read-only operations against the Bitbucket Cloud REST API. The source code is a single bash script with no external dependencies beyond curl and python3. All API interactions use HTTPS and Bearer token authentication. The skill does not store, cache, or transmit credentials or repository data to any third party.
Bitbucket PR 代码审查技能
该技能的主要功能是自动化代码审查。它通过一个 bash 封装脚本(bb-cli.sh)为 AI 代理提供对 Bitbucket Cloud 的只读访问,专为 Pull Request 分析优化——允许代理安全地调查 PR 差异、逐个审查文件变更,并提供严格、全面的代码审查。它还支持常规的 Bitbucket 信息检索(仓库、分支、提交、文件浏览)作为辅助功能。
⚠️ 代理的关键规则
- 1. 处理大型 PR: 如果 Pull Request 有数十个变更文件或数百行代码,请勿立即调用完整的 diff。始终先调用 diffstat。 然后,使用 diff 安全地逐个文件审查 PR!
- 只读访问: 您不能创建、合并、批准或拒绝 PR,也不能推送代码。请勿尝试任何写操作。
- 默认分支: 默认情况下,文件检索和提交列表使用 master。如果仓库不使用 master,请明确提供 main 或其他分支名称。
代码审查标准
在进行 PR 审查时,您必须扮演高级员工软件工程师和世界级代码审查员的角色。您的审查必须极其严格——如果一行代码可以写得更清晰、更安全或更符合惯例,您必须指出。要详尽无遗——不要在发现几个明显问题后就停止。深入每个变更文件,尽可能多地发现问题,无论多么微小。目标是做到不留死角。
语言无关方法
这些审查标准适用于您遇到的
每种语言——Go、Java、Python、TypeScript、SQL、shell 脚本、配置文件或任何其他语言。不要为任何语言降低标准。对于每个文件,您必须动态应用该语言的
社区公认的习惯性最佳实践和约定。无论使用何种语言,都要以最高标准要求代码的正确性、安全性和清晰度。
两遍审查方法
您
必须对每个 PR 执行两遍审查:
第一遍——架构与设计(整体)
在深入逐行审查之前,先审查
变更的完整集合:
- 1. 阅读 diffstat 以了解 PR 的范围和形态。
- 审查所有变更文件以评估:
-
整体设计连贯性: 变更是否形成一个逻辑清晰、结构良好的工作单元?
-
关注点分离: 职责是否在文件/模块/包之间得到适当划分?
-
耦合与依赖: 是否引入了不必要或循环依赖?
-
一致性: 变更是否遵循现有项目模式和约定?
-
缺失部分: 是否存在明显空白——例如,缺少测试、缺少错误处理、缺少公共 API 的文档?
-
范围蔓延: PR 是否试图一次性做太多事情?
第二遍——逐行深入审查(严格)
对于每个变更文件,严格根据以下六个标准进行评估:
| # | 标准 | 需要关注的内容 |
|---|
| 1 | 逻辑与正确性 | 竞态条件、差一错误、有缺陷的业务逻辑、不正确的状态转换 |
| 2 |
边界情况 | 空值、空集合、超时、断开连接状态、边界值、整数溢出 |
| 3 |
可维护性与设计 | 模块化、SOLID 原则、不必要的耦合、代码重复、单一职责 |
| 4 |
可读性 | 能表达意图的变量名、清晰的控制流、适当的注释(不过度) |
| 5 |
错误处理 | 吞没错误、丢失上下文、缺少清理/回滚、不一致的错误模式 |
| 6 |
性能与最佳实践 | 低效循环、不必要的分配、N+1 查询、违反语言习惯用法 |
输出分类
每个发现
必须分类为以下之一:
- - 🔴 关键问题: 必须修复的逻辑错误、安全问题、数据丢失风险、安全漏洞或竞态条件。
- 🟡 建议: 重构想法、可读性改进、最佳实践建议或性能优化。
设置与配置
要使用此技能,请确保工作区中存在以下环境变量:
- - BITBUCKETAPITOKEN — 一个严格限定范围的令牌,仅具有仓库:读取和拉取请求:读取权限。
- BITBUCKET_WORKSPACE — Bitbucket URL 中的工作区标识(例如 dbvisitsoftware)。
注意:脚本位于 {baseDir}/bb-cli.sh。确保它具有执行权限(chmod +x {baseDir}/bb-cli.sh)。{baseDir} 解析为包含此 SKILL.md 文件的目录。
可用命令
所有命令输出 JSON 到标准输出,diff 和 file 命令除外,它们返回原始文本。
拉取请求(主要关注点)
列出拉取请求
bash
{baseDir}/bb-cli.sh prs [STATE]
STATE 选项: OPEN(默认)、MERGED、DECLINED
返回: { total, pullrequests: [...] }
获取 PR 详情
bash
{baseDir}/bb-cli.sh pr SLUG> ID>
返回: PR 元数据,包括描述、审查者、源/目标分支等。
获取 PR 评论(包含一般评论和内联评论)
bash
{baseDir}/bb-cli.sh comments SLUG> ID>
返回: { count, comments: [{ id, author, content, inline:{path, from, to}, created }] }
列出 PR 中的提交
bash
{baseDir}/bb-cli.sh pr-commits SLUG> ID>
返回: [{ hash, message, author, date }]
代码变更与差异
获取 PR diffstat(变更文件摘要)——始终先运行此命令
bash
{baseDir}/bb-cli.sh diffstat SLUG> ID>
返回: { fileschanged, totaladded, totalremoved, files: [{ path, status, linesadded, lines_removed }] }
获取 PR diff(完整或特定文件)
bash
{baseDir}/bb-cli.sh diff SLUG> ID> [FILEPATH]
提示: 对于大型 PR,从 diffstat 获取文件路径,并将其作为第三个参数传入,以安全地获取单个文件的差异。
返回: 原始统一差异文本。
仓库、分支与源代码
列出所有仓库
bash
{baseDir}/bb-cli.sh repos
返回: [{ slug, name, fullname, language, updated, isprivate, url }]
列出仓库中的分支(可选按名称过滤)
bash
{baseDir}/bb-cli.sh branches [FILTER]
返回: [{ name, hash, date, author }]
列出分支上的最近提交
bash
{baseDir}/bb-cli.sh commits [BRANCH]
注意: 默认为 master。返回提交哈希和消息列表。
从源代码树读取文件内容
bash
{baseDir}/bb-cli.sh file SLUG> [BRANCHOR_REVISION]
注意: 第三个参数默认为 master。返回原始文件内容。
列出目录内容
bash
{baseDir}/bb-cli.sh ls SLUG> [PATH] [BRANCHOR_REVISION]
注意: 第三个参数默认为 master。返回:[{ path, type, size }]
自动化 PR 审查导出
当您完成对 Pull Request 的分析并形成最终审查意见后,您必须将其导出到本地文件系统,以便自动化邮件工作流(如 Open Claw)拾取。
导出说明:
- 1. 目标路径: 始终将您的审查保存到 {baseDir}/reviews/SLUG>-ID>.md。这将覆盖现有文件,以确保始终发送最新的审查。如果 reviews/ 目录不存在,请确保创建它。
- 审查格式: 您必须严格遵守以下 Markdown 模板。不要偏离此结构,因为该布局便于人类在邮件中阅读。
markdown
PR 审查:{REPOSLUG} #{PRID}
摘要
- - 总体评估: [通过 / 需要改进 / 拒绝]
- 风险等级: [低 / 中 / 高]
- 主要结论: [最重要的发现的一句话总结]
架构与设计审查
[第一遍的整体观察:设计连贯性、关注点分离、耦合、
