Skill for completing tech breakdowns#148
Conversation
Co-authored-by: Mick Letofsky <mick.tosk@gmail.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Plugin Validation Summary —
|
| Check | Result |
|---|---|
plugin.json valid JSON, name/version/required fields |
✅ bitwarden-delivery-tools, 2.1.0, valid semver |
Version consistency (plugin.json ↔ marketplace.json) |
✅ both 2.1.0, descriptions match verbatim |
CHANGELOG has [2.1.0] entry in Keep a Changelog format |
✅ CHANGELOG.md:8 documents the new skill |
Directory/auto-discovery layout skills/<name>/SKILL.md |
✅ matches frontmatter name |
| README documents the new skill | ✅ README.md:34 (Technical design table) |
| No hardcoded credentials | ✅ none found |
2. Skill Review (skill-reviewer) — completing-breakdown
PASS (with minor cleanups). Frontmatter well-formed; description is strong (third-person, six explicit trigger phrases, ~330 chars). Body is ~707 words — below the 1,000–3,000 target but appropriate for this narrow, single-file procedural task, so progressive disclosure is not warranted. Writing style is consistently imperative. No broken file references (skill references no external files).
3. Security Validation (reviewing-claude-config)
PASS. No committed secrets, no hardcoded credentials, no settings.local.json in the changeset.
allowed-toolsscoping (SKILL.md:6): narrowly scoped —Read, Edit, Glob, Bash(git mv:*), Bash(git status:*), Bash(mkdir:*), AskUserQuestion. No blanketBash. ✅- Path-injection defense: The path-interpolating commands (
git mv,mkdir) are backed by explicit input validation — slug/Jira-key regex allowlists,..and out-of-tree path rejection, and mandatory single-quoting of interpolated operands (SKILL.md:43,:60,:61). Positive security practice. ✅
Findings
Critical (must fix): 0
None.
Major (must fix): 0
None.
Minor (should fix)
-
SKILL.md:76— Orphan closing tag. The Output section opens as a Markdown heading## Output(line 69) but the body ends with a stray</output>tag that has no matching opener (copy/paste artifact). Fix: delete the</output>on line 76. (The<HARD-GATE>/</HARD-GATE>pair at lines 15/23 is correctly balanced.) -
SKILL.md:30— Typos in a Key Principle heading. "Inform the use after move is complete." should read "Inform the user after the move is complete." Fix:use→user(and add "the"). User-facing guidance text. -
SKILL.md:4-5— Non-standard frontmatter keys (argument-hint,arguments). Onlynameanddescriptionare required/standard for skills;argument-hint/argumentsare command-oriented fields and may be inert in a skill context. The body relies on$breakdown(line 16), so verify thatarguments: breakdownactually populates$breakdownat activation — if it does not, the HARD-GATE's "If$breakdownwas provided" branch is dead logic. Note: this matches the existing convention across 5 sibling skills in this plugin, so it is not a regression introduced by this PR. No action required for merge; noted for consistency awareness. -
CHANGELOG.md:8— Date confirmation. The[2.1.0]entry is dated2026-06-19, identical to the[2.0.0]entry below it. Same-day releases are legal; just confirm the date is intended (repo context date is 2026-07-01). -
SKILL.md:21— Undefined term. The skill repeatedly references "thetech-breakdownscheckout / working copy" (lines 21, 36, 43, 61) without establishing where it is. A one-line note in the Overview clarifying that breakdowns live in a separatebitwarden/tech-breakdownsworking copy would help the skill stand alone. Minor.
Positive Highlights
- Excellent security hygiene in the new skill: explicit path-traversal rejection, slug/Jira-key regex validation, and shell-metacharacter-safe single-quoting before any
git mv/mkdir. allowed-toolsuses narrow, scopedBash(...)permissions rather than blanketBash.- Version bump, changelog entry, marketplace entry, and README documentation are all present and consistent — fully satisfies the repo's plugin-change requirements.
- Correct ordering rationale ("Status flip then move") and history preservation via
git mvare documented with their failure modes.
Overall: safe to merge. The recommended fixes (orphan tag, typo) are cosmetic.
🤖 Bitwarden Claude Code ReviewOverall Assessment: APPROVE Reviewed the new The prior review's security concern (unquoted/unvalidated path interpolation into Code Review DetailsNo findings meet the reporting threshold. Previously raised concerns from existing review threads have been addressed in the current revision. |
theMickster
left a comment
There was a problem hiding this comment.
Suggested adjustments to the skill are posted. No longer a codeowner; so they're just suggestions now. Lemme know if you need any follow-up help.
📔 Objective
Adds the next in a sequence of changes to decompose and enhance the existing writing-tech-breakdowns skill, for use with our new tech-breakdowns repo.