ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Code Review

v1.0.0

Automated code review assistant. Analyzes code changes, PRs, and files for quality issues, best practices, security concerns, and style violations. Provides...

0· 10·0 current·0 all-time
by@michealxie001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md commands, and the two Python scripts (main.py and analyzer.py) are coherent: they implement a local code review tool (file/staged/commit/diff) and Git integration. No unexpected services or credentials are requested.
Instruction Scope
SKILL.md instructs the agent/user to run the bundled scripts against repo files, staged changes, or commits — that matches the main.py behavior. This necessarily gives the tool read access to repository files (expected), and SKILL.md suggests adding hooks/CI calls that will run the script in CI. However analyzer.py source in the submission was truncated, so I couldn't fully verify it doesn't read unrelated system files or transmit data externally.
Install Mechanism
No install spec and no external downloads; this is an instruction+script bundle that runs as a local Python program. That is low risk compared to bundles that fetch remote code.
Credentials
The skill declares no required env vars or credentials and main.py/analyzer.py (visible portions) do not reference secrets or external credentials. The tool will read repository files (normal for a linter/analyzer).
Persistence & Privilege
always:false and user-invocable; the skill does not request persistent platform privileges. The SKILL.md suggests placing a pre-commit hook or CI step (user action) — normal for this category.
What to consider before installing
Things to check before installing/using: - Inspect the rest of scripts/analyzer.py (the file was truncated in the bundle you provided). Look specifically for any of: network libraries (requests, urllib, socket, http.client, ftplib), subprocess or os.system calls that call curl/wget/nc, hardcoded remote endpoints, base64/exec/eval of downloaded data, or code that reads files outside the repository (e.g., /etc, home directory). If any are present, treat as high risk. - Confirm there are no commands that automatically POST or upload review reports to an external server (search for 'http', 'https', 'upload', 'post', 'requests', 'urllib', 'socket'). The roadmap mentions "PR 评论自动发布" but that feature is not implemented in SKILL.md; ensure it isn't implemented hidden in analyzer.py. - Since the tool reads repository files, avoid running it on repos that contain secrets or production credentials until you've verified it does not exfiltrate data. Run it first on a disposable/sandbox repo. - Because there's no source/homepage or owner reputation, prefer to run the code in a restricted environment (container or ephemeral VM) and/or vendor-lock it into your CI (so you control when it runs and which files it can access). - If you plan to add the pre-commit hook or CI workflow, update the hook path and review the hook/CI snippet to ensure it doesn't accidentally write credentials or outputs to public artifacts. Consider limiting the tool's scope (file globs) so it doesn't scan sensitive directories. - If you want higher assurance, ask the publisher for the full repository or verify with a reproducible build. If you cannot obtain the rest of analyzer.py source, do not run this on sensitive projects. If you share the full contents of scripts/analyzer.py (unsuppressed), I can re-check for network calls, obfuscated code, and any other red flags and raise the confidence of this assessment.
scripts/analyzer.py:414
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c14p47m16m1kddpv7h8g13h84015c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Code Review

自动化代码审查助手,分析代码变更、PR 和文件,检测质量问题、最佳实践违规、安全隐患和风格问题。

Version: 1.0
Features: 多层级分析、AST 解析、安全检查、Git 集成

Quick Start

1. 审查单个文件

python3 scripts/main.py review file src/main.py

2. 审查暂存区变更

python3 scripts/main.py review staged

3. 审查特定提交

python3 scripts/main.py review commit abc123

4. 导出 JSON 报告

python3 scripts/main.py review file src/*.py --format json --output report.json

Commands

命令说明示例
review file审查文件main.py review file src/*.py
review staged审查暂存区main.py review staged
review commit审查提交main.py review commit abc123
review diff审查 diff 文件main.py review diff changes.patch

Checks

质量检查 (Quality)

  • 圈复杂度 - 函数复杂度超过阈值(默认 10)
  • 函数长度 - 函数超过最大行数(默认 50)
  • 文件长度 - 文件超过最大行数(默认 500)
  • 重复代码 - 检测重复代码块
  • 未使用导入 - 检测未使用的 import

最佳实践 (Best Practices)

  • Python: PEP 8、类型提示、文档字符串
  • JavaScript: 使用 let/const 替代 var、移除 console.log
  • 通用: 命名规范、导入排序

安全检查 (Security)

  • 硬编码密钥 - 检测 password/secret/api_key/token
  • 危险函数 - 检测 eval/exec 使用
  • SQL 注入 - 检测字符串拼接 SQL
  • XSS 风险 - 检测 innerHTML 使用

风格检查 (Style)

  • 尾随空格 - 检测行尾空格
  • 行长度 - 检测超过 100 字符的行
  • 文档字符串 - 检测缺少 docstring 的函数/类

Configuration

创建 .code-review.json 在项目根目录:

{
  "max_complexity": 10,
  "max_function_lines": 50,
  "max_file_lines": 500,
  "ignore": [
    "tests/**",
    "vendor/**",
    "node_modules/**"
  ],
  "severity": "warning"
}

Output Formats

Markdown (默认)

python3 main.py review file src/main.py

输出包含:

  • 问题统计摘要
  • 按规则分类的问题列表
  • 每个文件的详细问题
  • 修复建议

JSON

python3 main.py review file src/main.py --format json

适合 CI/CD 集成:

{
  "summary": {
    "files_reviewed": 5,
    "total_issues": 12,
    "errors": 0,
    "warnings": 3,
    "info": 9
  },
  "files": [...]
}

Git 集成

Pre-commit Hook

# .git/hooks/pre-commit
#!/bin/bash
python3 /path/to/code-review/scripts/main.py review staged --fail-on-error

CI/CD 集成

# .github/workflows/code-review.yml
name: Code Review
on: [push, pull_request]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Code Review
        run: |
          python3 skills/code-review/scripts/main.py review file src/ --format json --output review.json
      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: code-review-report
          path: review.json

Examples

场景 1:提交前自检

# 1. 添加变更到暂存区
git add src/

# 2. 审查暂存区代码
python3 main.py review staged

# 3. 如果有错误,修复后再提交

场景 2:审查 PR

# 获取 PR 的最新提交
python3 main.py review commit $(git rev-parse HEAD)

场景 3:批量审查

# 审查所有 Python 文件
python3 main.py review file src/**/*.py --format json --output report.json

# 设置更严格的阈值
python3 main.py review file src/ --max-complexity 5 --max-function-lines 30

Supported Languages

语言质量检查安全检查风格检查
Python
JavaScript
TypeScript⚠️⚠️⚠️

Files

skills/code-review/
├── SKILL.md                    # 本文件
└── scripts/
    ├── main.py                 # ⭐ 统一入口
    └── analyzer.py             # 核心分析引擎

Exit Codes

代码含义
0成功,无错误
1发现错误或 --fail-on-error 且有问题

Roadmap

  • Python 分析器
  • JavaScript 分析器
  • TypeScript 完整支持
  • Go 分析器
  • Rust 分析器
  • PR 评论自动发布
  • 增量审查(只审查变更行)

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…