@xiaolaichecks…fix/nlpm-commands-allowed-tools → master5 files · +5 −0updated 1mo agoAutomated audit: This PR was generated by NLPM, a natural language programming linter, running via claude-code-action. Please evaluate the diff on its merits.
Five commands declared no allowed-tools in their frontmatter. In Claude Code, a command with no allowed-tools cannot make any tool calls — all tool use is denied. This means each of these commands is broken: their described workflows silently fail at the first tool call.
| Command | Missing tools | Impact |
|---|---|---|
pr-review/commands/pr-review.md | Bash(git:*), Bash(gh:*), Read, Glob, Grep | Cannot read diff or fetch PR data |
commit/commands/commit.md | Bash(git:*), Bash(npm:*), Bash(yarn:*), Bash(pnpm:*) | Cannot run pre-commit checks or execute git commit |
create-pr/commands/create-pr.md | Bash(git:*), Bash(gh:*), Bash(biome:*), Read, Glob | Cannot create branch, format files, or open PR |
documentation-generator/commands/documentation-generator.md | Read, Write, Edit, Glob, Grep | Cannot read any source files to generate docs |
bug-fix/commands/bug-fix.md | Bash(git:*), Bash(gh:*), Read, Write, Edit, Glob, Grep | Cannot create issue, checkout branch, commit, or push |
Added allowed-tools to each command's frontmatter, scoped to the tools their body actually requires:
The tool lists are minimal — each entry is justified by a concrete operation described in the command body.
Without this fix, users invoking any of these commands get silent failures: the command body runs but all tool calls are rejected. With allowed-tools declared, the permissions contract is explicit and the commands can actually perform their described workflows.