PR Code Reviewer
v1.0.1Revisa automáticamente PRs en Bitbucket con análisis de errores, seguridad y estilo en JS, TS, Node.js, PHP y Python, generando comentarios detallados y vere...
⭐ 0· 1.1k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name and SKILL.md describe an automated PR reviewer for Bitbucket and multiple languages, and the repository contains extensive language-specific rules and templates that match that purpose. One small mismatch: the SKILL/README mention automatic review in Bitbucket but the skill contains no integration code or required Bitbucket credentials — it is designed to be used by feeding diffs or via a pipeline/hook rather than calling Bitbucket APIs directly. This is explainable (instruction-only design) but worth noting.
Instruction Scope
SKILL.md explicitly instructs the agent to read the full PR diff, detect file languages, apply the included rulesets, generate grouped inline comments and a review summary. All referenced files are local rule/templates and the instructions do not request unrelated system files, environment variables, external endpoints, or privileged actions.
Install Mechanism
No install spec and no code to execute are included (instruction-only). That is the lowest-risk install model — nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. The rules reference common code-review checks (security, linters, conventions) and do not require secrets. The lack of requested credentials is consistent with an instruction-only reviewer that operates on diffs provided by the integrator.
Persistence & Privilege
The skill does not request always:true and is not asking to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but there are no additional persistence or privilege requests in the skill contents.
Assessment
This skill is an instruction-only code-review template and is internally consistent with its purpose. Before installing or enabling it, consider:
- Integration: The skill does not itself call Bitbucket APIs or ask for Bitbucket credentials — you must supply diffs or wire it into your CI/hook. Confirm how your agent will provide PR contents (e.g., a workflow step that passes the diff) and that no repository secrets are accidentally forwarded to third-party services.
- Data exposure: The reviewer will analyze any code you feed it. Avoid putting production credentials or sensitive data into PR diffs. Treat the agent and any LLM backend you use as a code consumer with access to those diffs.
- Pipeline security: If you implement a GitHub/GitLab/Bitbucket action or CI job to feed PRs to this skill, review that workflow to ensure tokens, logs, or artifacts are not sent to untrusted endpoints. The skill itself doesn’t transmit data, but your integration could.
- Customization: The included rules are extensive and opinionated. Review and adapt references/team-conventions.md to match your team's policies so the reviewer enforces the right standards.
Overall risk is low given there is no install or secret access; proceed if you understand and control how PR diffs are provided to the agent and you protect sensitive data in those diffs.Like a lobster shell, security has layers — review code before you run it.
latestvk979yczr9hhgb98w9wmpk9qzjs8118tx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.