ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Astrai Code Review

v1.0.0

AI-powered code review with intelligent model routing — saves 40%+ vs always using the most expensive model

0· 764·0 current·0 all-time
by@beee003

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for beee003/astrai-code-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Astrai Code Review" (beee003/astrai-code-review) from ClawHub.
Skill page: https://clawhub.ai/beee003/astrai-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ASTRAI_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install beee003/astrai-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install astrai-code-review
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Astrai code review with model routing) aligns with the included plugin.py and the declared ASTRAI_API_KEY requirement. Optional provider keys (OpenAI, Anthropic, etc.) are expected for BYOK routing and are present in the code's PROVIDER_KEY_MAP.
!
Instruction Scope
The plugin reads an environment variable ASTRAI_BASE_URL to override the API base URL, but ASTRAI_BASE_URL is not declared in the SKILL.md environment table. The SKILL.md claims diffs are sent to as-trai.com; the code allows directing requests to any URL via ASTRAI_BASE_URL, which is an undocumented but powerful override.
Install Mechanism
There is no install spec and the skill is instruction-only plus a single plugin.py file. Nothing is downloaded from an external or arbitrary URL during install.
!
Credentials
The skill requires ASTRAI_API_KEY and optionally collects many provider API keys for BYOK. The plugin gathers these provider keys from the environment and sends them in an HTTP header (X-Astrai-Provider-Keys) to the Astrai routing endpoint. Sending full provider API keys to a third party is a sensitive, high-privilege action; the SKILL.md promises keys are 'never stored' and sent in an 'encrypted header' but the code simply JSON-encodes them into a header (relying on HTTPS for transport protection) and keeps them in memory during the session.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills, and keeps tracking counters in memory. It does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with other excessive privileges here.
What to consider before installing
This skill appears to implement what it claims (an Astrai routing code-review proxy), but take these precautions before installing or providing keys: - Only provide ASTRAI_API_KEY if you trust the Astrai service. The plugin will send diffs and review content to the configured Astrai endpoint. - Do not provide your provider API keys (OpenAI/Anthropic/etc.) unless you explicitly trust Astrai to use them; the plugin will include them (JSON-encoded) in the X-Astrai-Provider-Keys header and transmit them to the Astrai endpoint. That gives Astrai the ability to act with those keys. - Verify or lock ASTRAI_BASE_URL: the code honors ASTRAI_BASE_URL (defaults to https://as-trai.com). If you do not set this, it will use the documented host; if you set it, you could redirect the traffic to another server. The SKILL.md failed to document this env var. Do not change ASTRAI_BASE_URL unless you know what you are doing. - The SKILL.md asserts keys are 'never stored' and headers are 'encrypted' — note the implementation relies on HTTPS (transport) and keeps keys only in memory; there is no code-level encryption/persistence shown. If you need stronger guarantees (e.g., zero knowledge), review the server-side behaviour and the Astrai privacy policy or avoid BYOK mode. - If you want to minimize risk, use this in local-only mode (do not set provider keys) so Astrai will route to its hosted models via your ASTRAI_API_KEY, or avoid providing any provider keys and instead call providers yourself locally. If you want a higher-confidence assessment, provide the remainder of plugin.py (the truncated portion) and confirm whether ASTRAI_BASE_URL or any logging/persistence code appears elsewhere.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔍 Clawdis
EnvASTRAI_API_KEY
Primary envASTRAI_API_KEY
latestvk971bdm8t8h2d1s3t8yybe5xzs819jn4
764downloads
0stars
1versions
Updated 9h ago
v1.0.0
MIT-0
@beee003
latest
Download

Astrai Code Review

AI-powered code review with intelligent model routing. Complex logic goes to powerful models. Formatting and style goes to fast, cheap ones. You save 40%+ without sacrificing quality.

What it does

  • Smart routing for reviews: Astrai analyzes the diff complexity and routes to the optimal model. A gnarly concurrency bug gets Opus. A missing semicolon gets Haiku. You only pay for the intelligence you need.
  • Structured output: Every review returns typed issues with file, line number, severity (critical/warning/info), message, and a concrete suggestion.
  • Strictness modes: Standard catches bugs and logic errors. Strict adds style and best-practice checks. Security mode focuses on vulnerabilities, injection, auth, and data exposure.
  • BYOK (Bring Your Own Keys): Your provider API keys stay with you. Astrai decides which model to use, then calls the provider using YOUR key. You pay providers directly.
  • Cost tracking: Every review response includes the cost and how much you saved vs always using the most expensive model.
  • Local-only mode: If you only set ASTRAI_API_KEY without provider keys, Astrai uses its own hosted models. Still routed intelligently, still cheap.

Setup

  1. Get a free API key at as-trai.com
  2. Set ASTRAI_API_KEY in your environment or skill config
  3. Optionally add provider API keys for BYOK routing (e.g. ANTHROPIC_API_KEY, OPENAI_API_KEY)
  4. Run /review on any diff or PR

Usage

/review                     Review the current diff (staged changes)
/review --strict            Strict mode: bugs + style + best practices
/review --focus security    Security-focused review (vulns, injection, auth)
/review --file src/auth.py  Review a specific file

Examples

Basic review of staged changes:

/review

Returns issues found in the current diff with severity levels and suggestions.

Strict review for a PR:

/review --strict

Catches not just bugs but also style violations, naming issues, and missed best practices.

Security audit:

/review --focus security

Focuses on SQL injection, XSS, auth bypass, hardcoded secrets, insecure deserialization, and other vulnerability classes.

Environment Variables

VariableRequiredDescriptionDefault
ASTRAI_API_KEYYesYour API key from as-trai.com--
ANTHROPIC_API_KEYNoAnthropic key for BYOK routing--
OPENAI_API_KEYNoOpenAI key for BYOK routing--
GOOGLE_API_KEYNoGoogle key for BYOK routing--
DEEPSEEK_API_KEYNoDeepSeek key for BYOK routing--
MISTRAL_API_KEYNoMistral key for BYOK routing--
GROQ_API_KEYNoGroq key for BYOK routing--
TOGETHER_API_KEYNoTogether key for BYOK routing--
FIREWORKS_API_KEYNoFireworks key for BYOK routing--
COHERE_API_KEYNoCohere key for BYOK routing--
PERPLEXITY_API_KEYNoPerplexity key for BYOK routing--
REVIEW_STRICTNESSNostandard, strict, or securitystandard

External Endpoints

EndpointPurposeData Sent
https://as-trai.com/v1/chat/completionsCode review inference via intelligent routingDiff content, file context, review instructions

Security & Privacy

  • All requests authenticated via API key in the Authorization header
  • Diffs are sent to the Astrai routing API, which forwards to the selected provider
  • In BYOK mode, provider keys are sent via encrypted header (X-Astrai-Provider-Keys) and never stored
  • No diffs, code, or review results are retained by Astrai after the request completes
  • Source code is fully open: github.com/beee003/astrai-openclaw

Model Invocation

This skill sends code diffs to the Astrai routing API. The router classifies the review complexity and selects the best model:

  • High complexity (concurrency, security, architecture): Routes to Claude Opus, GPT-4o, or Gemini Pro
  • Medium complexity (logic errors, missing edge cases): Routes to Claude Sonnet, GPT-4o-mini, or Gemini Flash
  • Low complexity (formatting, typos, naming): Routes to Claude Haiku, GPT-4o-mini, or Gemini Flash

Your prompts are processed by third-party LLM providers according to the routing decision. In BYOK mode, calls are made using your own provider API keys.

Pricing

Same as Astrai platform pricing:

  • Free: 1,000 requests/day, smart routing, all strictness modes
  • Pro ($49/mo): Unlimited requests, priority routing, analytics dashboard
  • Business ($199/mo): Team dashboards, compliance exports, SLA guarantee

Comments

Loading comments...