What happened
The review bot's output on PR #1202 and PR #1277 contained only code-level findings ("No findings" in both cases). Neither review mentioned that the PR was from a fork, that the contributor was unknown, or that the fork/account was newly created. A maintainer reading only the review comment would have no context about contributor trust — they would need to manually inspect the PR metadata to assess risk.
The repo's threat model explicitly prioritizes external injection over all other threats, yet the review output provided zero signal about the external nature of these contributions.
What could go better
The review agent should include a brief metadata section in its review output that surfaces trust-relevant signals: whether the PR is from a fork, whether the author is a first-time contributor, and whether the fork or account is newly created. This gives human reviewers immediate context without requiring them to dig into PR metadata.
Confidence: Medium-high. The information is readily available from the GitHub API and adds minimal cost. The value depends on how often maintainers read review bot comments vs. inspecting PRs directly — but since the bot already posts structured reviews, adding a metadata section is low-effort and high-signal.
What I could be wrong about: Maintainers may already check this information themselves and not need it surfaced. Adding it could also create noise for repos that welcome external contributions. This should be optional or configurable.
Proposed change
In the pr-review skill's context-gathering phase, add a contributor metadata check and include the results in the review output.
In skills/pr-review/SKILL.md (or equivalent), add to the early context-gathering steps:
- Check if PR is fork-based:
pr.head.repo.fork == true
- Check author's contribution history:
gh api repos/{owner}/{repo}/commits?author={login}&per_page=1
- Check account age relative to PR creation (optional, from
gh api users/{login} created_at field)
In the review output template, add a "Context" or "Metadata" section before findings:
## Context
- **Source:** Fork PR from @{author} (first-time contributor)
- **Account created:** {date}
- **Fork created:** {date}
This section should only appear when trust-relevant signals are present (fork PRs, new contributors). For PRs from org members or known contributors, it can be omitted to reduce noise.
Validation criteria
Over the next 5 fork-based PRs from external contributors:
- The review output should include a metadata/context section noting the PR is from a fork and whether the author is a first-time contributor.
- For PRs from org members, no such section should appear (no noise added).
- The metadata section should be factually accurate (correct fork status, correct contributor history).
Generated by retro agent from #1202
What happened
The review bot's output on PR #1202 and PR #1277 contained only code-level findings ("No findings" in both cases). Neither review mentioned that the PR was from a fork, that the contributor was unknown, or that the fork/account was newly created. A maintainer reading only the review comment would have no context about contributor trust — they would need to manually inspect the PR metadata to assess risk.
The repo's threat model explicitly prioritizes external injection over all other threats, yet the review output provided zero signal about the external nature of these contributions.
What could go better
The review agent should include a brief metadata section in its review output that surfaces trust-relevant signals: whether the PR is from a fork, whether the author is a first-time contributor, and whether the fork or account is newly created. This gives human reviewers immediate context without requiring them to dig into PR metadata.
Confidence: Medium-high. The information is readily available from the GitHub API and adds minimal cost. The value depends on how often maintainers read review bot comments vs. inspecting PRs directly — but since the bot already posts structured reviews, adding a metadata section is low-effort and high-signal.
What I could be wrong about: Maintainers may already check this information themselves and not need it surfaced. Adding it could also create noise for repos that welcome external contributions. This should be optional or configurable.
Proposed change
In the pr-review skill's context-gathering phase, add a contributor metadata check and include the results in the review output.
In
skills/pr-review/SKILL.md(or equivalent), add to the early context-gathering steps:pr.head.repo.fork == truegh api repos/{owner}/{repo}/commits?author={login}&per_page=1gh api users/{login}created_at field)In the review output template, add a "Context" or "Metadata" section before findings:
This section should only appear when trust-relevant signals are present (fork PRs, new contributors). For PRs from org members or known contributors, it can be omitted to reduce noise.
Validation criteria
Over the next 5 fork-based PRs from external contributors:
Generated by retro agent from #1202