Code Quality Analyzer (FightingDao)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is purpose-aligned for code quality reporting, but it relies on unreviewed local scripts, writes to a database, and references notification credentials without clear scoping or user controls.
Install this only if you are in the intended internal environment and have reviewed the referenced local scripts. Before running it, confirm the project path, localhost database, team ID, email/Teams credentials, recipients, and whether the sync should be approved manually.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill could update the code-quality database and dashboards with generated analysis data, including incorrect data if the analysis is wrong.
The instructions require the agent to write analysis results into several database tables. That is purpose-aligned, but it is a high-impact mutation path and the visible artifact does not show confirmation, rollback, or dry-run controls.
□ 6. 同步数据:一次性同步所有数据(分析+评分+审查+commits+统计) ... 1. code_analyses ... 5. project_statistics
Use only against the intended database and team, and require an explicit user confirmation or dry run before syncing data.
The actual operations performed by the referenced scripts could differ from what the skill description implies.
The skill depends on local helper scripts that are not included in the provided package. Because those helpers perform analysis, database sync, and notifications, their provenance and behavior cannot be verified from the artifact.
分析脚本 | `/Users/zhangdi/work/codeCap/代码质量分析系统/scripts/analyze-code-v2.js` ... 同步脚本 | `/Users/zhangdi/work/codeCap/代码质量分析系统/scripts/sync-to-db.js` ... Teams 通知脚本 ... 邮件通知脚本
Review the referenced local scripts before enabling the skill, and pin or package reviewed versions if this is distributed to others.
The skill may use local email or Teams credentials to send analysis results or notifications.
The artifact references credential-like notification configuration and a Teams webhook secret, but the provided metadata declares no primary credential or required environment variables. The visible instructions do not define recipient scope or exactly what data is sent.
邮件配置文件 | `~/.openclaw/workspace/.email-config.json` ... Teams Webhook | 加签模式,secret 已配置
Confirm the email and Teams credentials, recipients, and notification content before use; declare these credentials explicitly in the skill metadata.
Commit metadata, file-change summaries, and generated review findings may be retained in the code-quality system.
The skill stores file-change details, AI review issues, commit records, and statistics for later display. This is expected for the stated purpose, but it creates persistent records derived from repository history and AI analysis.
fileChanges 字段:必须填充文件变更明细 ... code_issues - AI代码审查问题 ... code_reviews - 提交记录详情 ... team_statistics ... project_statistics
Run it only on repositories whose metadata may be stored in that database, and define retention and access controls for the generated records.