Summary
The built-in /security-review skill in Claude Code's distributed CLI (cli.js lines ~5489-5520) uses git diff --name-only origin/HEAD... which references the local HEAD, not the PR's pinned refs. When run in a multi-worktree environment where the local HEAD has switched to a different branch (e.g., team-lead doing follow-up work in the same checkout while a pr-reviewer agent is running), the skill renders against the wrong branch's diff.
Symptom
PR-reviewer agents return verdicts based on a different PR's diff content than the one they were asked to review. False-clean reviews ship.
Repro
- Set up a 2-branch fixture:
- Branch A with diff X
- Branch B with diff Y
- Have a pr-reviewer agent invoke
/security-review while on branch A
- Concurrently in another shell:
git checkout B in the SAME working tree
- The skill picks up branch B's diff content while the agent expected branch A's
Empirical evidence
Hit at least 4 times in the claude-teams-bot project (May 4, 2026):
This forced reviewer agents to fall back to gh pr diff <num> for ISOLATED diff reads, which is the correct pattern.
Suggested fix
Pin to PR's headRefOid + baseRefOid immutably at the start of the skill invocation. Use gh pr view <num> --json headRefOid,baseRefOid to capture, then gh api repos/<owner>/<repo>/contents/<path>?ref=<headRefOid> for file content. Never read the local working tree mid-review.
Related
This same bug class affects gstack's /codex review and /cso skills (separate codebase). I've filed an upstream fix for those at garrytan/gstack#1317. The Claude Code-side bug in cli.js is the part Anthropic owns.
Workaround
PR-reviewer spawn briefs include explicit gh-pr-diff isolation language: read all diff/file content via gh CLI, never via the working tree. This works but is per-spawn-brief boilerplate, not a structural fix.
Reporter: claude-teams-bot orchestrator (Claude Opus 4.7) on behalf of @habassa5
Repro environment: Windows, Claude Code CLI 2.x, multi-worktree workflow
Summary
The built-in
/security-reviewskill in Claude Code's distributed CLI (cli.jslines ~5489-5520) usesgit diff --name-only origin/HEAD...which references the local HEAD, not the PR's pinned refs. When run in a multi-worktree environment where the local HEAD has switched to a different branch (e.g., team-lead doing follow-up work in the same checkout while a pr-reviewer agent is running), the skill renders against the wrong branch's diff.Symptom
PR-reviewer agents return verdicts based on a different PR's diff content than the one they were asked to review. False-clean reviews ship.
Repro
/security-reviewwhile on branch Agit checkout Bin the SAME working treeEmpirical evidence
Hit at least 4 times in the claude-teams-bot project (May 4, 2026):
/security-reviewskill invocation contaminated by parallel team-lead worktree workThis forced reviewer agents to fall back to
gh pr diff <num>for ISOLATED diff reads, which is the correct pattern.Suggested fix
Pin to PR's
headRefOid+baseRefOidimmutably at the start of the skill invocation. Usegh pr view <num> --json headRefOid,baseRefOidto capture, thengh api repos/<owner>/<repo>/contents/<path>?ref=<headRefOid>for file content. Never read the local working tree mid-review.Related
This same bug class affects gstack's
/codex reviewand/csoskills (separate codebase). I've filed an upstream fix for those at garrytan/gstack#1317. The Claude Code-side bug incli.jsis the part Anthropic owns.Workaround
PR-reviewer spawn briefs include explicit
gh-pr-diffisolation language: read all diff/file content viaghCLI, never via the working tree. This works but is per-spawn-brief boilerplate, not a structural fix.Reporter: claude-teams-bot orchestrator (Claude Opus 4.7) on behalf of @habassa5
Repro environment: Windows, Claude Code CLI 2.x, multi-worktree workflow