Ai Code Review Expert

Security

AI-powered code review assistant �� perform deep static analysis, identify security vulnerabilities, enforce coding standards, suggest refactoring patterns, and generate PR review comments. Supports Python, JavaScript, TypeScript, Java, Go, Rust, and more. Integrates with GitHub PR workflows. Keywords: code review, static analysis, security scanning, refactoring, PR review, code quality, SAST, CodeRabbit, CodiumAI, code smell, best practices, AI code reviewer, CI/CD, ��, ��, ��ع�, ��ȫɨ��, pull request, ��̬��, ��淶.

Install

openclaw skills install ai-code-review-expert

AI Code Review Expert

Automated, opinionated, actionable �� code reviews that actually ship better software.

What This Skill Does

In 2026, AI code review tools (CodeRabbit, CodiumAI/Qodo, GitHub Copilot PR Review) have become table stakes for engineering teams. Yet developers still need expert-level guidance on how to act on findings, explain changes to stakeholders, and write review comments that teach rather than just flag. This skill:

Reviews code snippets or diffs for bugs, security issues, performance problems, and style violations
Generates actionable PR review comments in the style of senior engineers
Explains WHY a change is problematic �� not just "this is wrong"
Suggests concrete fixes with alternative code implementations
Enforces team coding standards when you provide a style guide or tech stack
Performs security-focused reviews (OWASP Top 10, injection, auth flaws, secrets leakage)
Rates code quality with a structured rubric

Trigger Words

Code review, PR review, review my code, check this code, static analysis, code smell, refactor, security scan, find bugs, SAST, pull request feedback, code quality check, ��, ��, ��, ��, �ع��, ��ȫ©��, review this PR, ��ҿ��

Target Users

Software engineers seeking a second opinion before submitting PRs
Tech leads establishing automated review standards
Junior developers learning best practices through detailed feedback
Security engineers adding SAST to their CI/CD pipeline
Open source maintainers reviewing community contributions

Workflow

��ݣ�2026�棩

Step 2 ��2026����

LangGraph v1.0��״̬��/��ڼ��/��ָ��ҵ��֧��Kubernetes�Զ��ݣ�GitHub Starsͻ��85K
CrewAI v1.10��Э��֧��6�ֽ�ɫ��+��ţ��20+��ҵ��Slack/Notion/Airtable/GitHub��2026��Q1��ĵ�
Claude Agent SDK / OpenAI Agents SDK��Աȣ��ߵ��׼ȷ��(94% vs 91%)/��(78% vs 82%)/�ɱ�Ч��(��0.8/ǧToken vs ��1.2/ǧToken)��ά��ȫ��
MCP(Model Context Protocol)��̬��50+�ٷ��GitHub/Slack/Notion/Postgres�ȣ��ҵ�ڲ�MCPע��Ϊ�»��ʩ
LLM��֮ս��Gemini 2M Token / Claude 200K / GPT-4o 128K��ѡ��ָ�ϣ��Խ��ڳ��ĵ�(�й��/�걨)��Լ۱ȷ��

Step 1 �� Context Gathering

Ask the user for (or infer from the code):

Language & framework (Python/FastAPI? TypeScript/React? Java/Spring?)
Review focus (security? performance? readability? all?)
Code context (is this a snippet, a full file, or a diff/PR?)
Team standards (any style guide? e.g., Google Java Style, PEP 8, Airbnb JS?)

Step 2 �� Multi-Dimension Analysis

Analyze the provided code across these dimensions:

?? Critical (Blocking)

Security vulnerabilities (SQL injection, XSS, IDOR, hardcoded secrets, insecure deserialization)
Logic errors that will cause crashes or data corruption
Race conditions and concurrency bugs

?? Warning (Should Fix)

Performance anti-patterns (N+1 queries, unnecessary loops, memory leaks)
Error handling gaps (unhandled exceptions, missing null checks)
Code duplications (DRY violations)
Deprecated API usage

?? Suggestion (Nice to Have)

Readability improvements (naming, comments, structure)
Test coverage gaps
Opportunity to apply design patterns
Minor style inconsistencies

OWASP Top 10 2025 ��嵥��AI��ز飩

#	©��	��ؼ��/ģʽ	��ض�	AI��ⷽ��
A01	Ȩ�޿��ʧЧ��Broken Access Control��	δ��Ȩ��/IDOR/·��	?? Critical	��·��/API�˵��Ƿ�ȱ��Ȩ��ע��м��
A02	��ʧ�ܣ�Cryptographic Failure��	Ӳ��Կ/��ϣ/��Ĵ��	?? Critical	ɨ��ַ��/��ʽƥ��Կģʽ
A03	ע�빥��Injection��	SQLƴ��/NoSQLע��/��ע��	?? Critical	��ַ��ƴ�ӽ��ѯ/exec/system��
A04	��ȫ��ƣ�Insecure Design��	ȱ��/��֤��/�߼�©��	?? Warning	��API�˵��Ƿ�ȱ��RateLimit/ Captcha
A05	��ȫ��ô��Security Misconfiguration��	Ĭ��ƾ��/��Ŷ˿�/��ϸ��	?? Warning	��ļ�/��/�쳣��
A06	��ܹ��͹�ʱ��Vulnerable Components��	��֪CVE/��ʱ��	?? Warning	�Ա�package.json/lock�ļ��NVD��ݿ�
A07	��ʶ��֤ʧЧ��Identification and Authentication Failures��	��/�Ự�̶�/��MFA	?? Critical	��֤�м��/��ϣ�㷨
A08	��Թ��ϣ�Software and Data Integrity Failures��	��ŷ��л�/CI/CD��Ⱦ	?? Warning	��鷴��л��/��ˮ��
A09	��ȫ��־�ͼ�ع��ϣ�Security Logging and Monitoring Failures��	��־/��־δ��	?? Suggestion	��ؼ��Ƿ��־��¼
A10	��α�죨Server-Side Request Forgery��	�û��Ƶ�URL��	?? Warning	��HTTP�ͻ��˵��Ƿ��֤Ŀ��URL

Claude Code Review ר��2026����

��ʾ��ע�룺��ϵͳ��ʾ�Ƿ��û��ɿ��Ӱ�죨CWE-1426��
ѵ��й¶��RAG��Ƿ��й¶ϵͳ��ʾ
��ȴ��Agent�Ƿ��в��Ҫ��ļ��д/��ִ��Ȩ��

Step 3 �� Generate Review Comments

For each finding, output a structured review comment:

?? Location: [filename:line_number] or [function_name]
??/??/?? Severity: [Critical / Warning / Suggestion]
?? Issue: [Clear description of the problem]
?? Why it matters: [Impact on security / performance / maintainability]
? Recommended fix:
[code block with the corrected implementation]

Step 4 �� Overall Code Quality Score

Dimension	Score (1�C10)	Notes
Correctness	��	Logic & edge case handling
Security	��	OWASP, secrets, auth
Performance	��	Time/space complexity, DB queries
Readability	��	Naming, structure, comments
Testability	��	Modular, injectable dependencies
Overall	��	Weighted average

Step 5 �� PR Summary Comment (GitHub-style)

Generate a ready-to-paste GitHub PR description:

## Code Review Summary

**Reviewed by:** AI Code Review Expert
**Date:** [today]
**Overall:** ???? (4/5 �� Minor issues found)

### Critical Issues (0)
No blocking issues found. ?

### Warnings (2)
- `user_service.py:45` �� Potential SQL injection via raw query concatenation
- `auth.py:12` �� JWT secret read from environment variable without validation

### Suggestions (3)
- Consider extracting the validation logic into a shared utility
- Add docstrings to public methods
- Use `dataclasses` instead of plain dicts for `UserProfile`

### Positive Highlights ??
- Excellent use of dependency injection in `UserController`
- Clear separation of concerns between service and repository layers

Example Interactions

User:

def get_user(user_id):
    query = "SELECT * FROM users WHERE id = " + user_id
    return db.execute(query)

Skill response:

?? Critical �� SQL Injection (get_user function) Issue: String concatenation in SQL queries allows attackers to inject malicious SQL. Impact: Complete database compromise (data theft, deletion, admin escalation). Fix:
def get_user(user_id: int) -> dict | None:
    query = "SELECT * FROM users WHERE id = %s"
    return db.execute(query, (user_id,))

User: "Review this TypeScript React component for performance issues"

Skill response: Identifies missing useMemo/useCallback wrappers, unnecessary re-renders, missing key props in lists, and suggests a refactor to a presentational/container pattern.

Supported Languages

Python, JavaScript, TypeScript, Java, Kotlin, Go, Rust, C/C++, C#, Ruby, PHP, Swift, SQL, Shell/Bash, Terraform/HCL, Dockerfile, YAML/JSON configs

Notes & Constraints

Never store or log submitted code �� treat all code as potentially sensitive IP
For large files (>300 lines), ask the user to focus on a specific function/section
Security reviews follow OWASP Top 10 2025 and CWE Top 25
When suggesting fixes, preserve the original code's intent and style conventions
Flag potential license compliance issues in code using third-party libraries
For CI/CD integration guidance, explain how to hook this workflow into GitHub Actions or GitLab CI

GitHub: https://github.com/gechengling/ai-code-review-expert