ClawHub

Code Review Cycle

v0.1.4

执行 Coding ↔ Review 循环。A 写代码 → B Review → A 修改(可选)。支持 codex/claude-code 作为 A 或 B。

0· 294·0 current·0 all-time
by商汤小浣熊@raccoon-office
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (orchestrate a coder + reviewer loop) matches the artifact: SKILL.md describes spawning A/B agents and run.js prints the session payloads. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md and run.js confine actions to spawning agents and exchanging textual diffs/outputs. However, the 'B only-read' rule is a behavioral constraint expressed in text and not technically enforced by the script — the skill relies on agent-side enforcement. The skill also passes A's output as input to B (expected), which could expose any secrets present in A's output to the reviewer agent.
Install Mechanism
No install spec — instruction-only plus a small helper script (run.js). Nothing is downloaded or written to disk by an installer; lowest-risk install posture.
Credentials
No environment variables, credentials, or config paths are requested. The scope of requested access is minimal and proportional to a code-review orchestrator.
Persistence & Privilege
always is false and the skill doesn't request persistent system modifications. The script and SKILL.md state sessions are temporary and do not retain context; there is no attempt to modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: orchestrate a coder (A) and reviewer (B) loop. Before installing or running it, consider: 1) The reviewer role is only a behavioral constraint in the instructions — the platform or model must enforce 'read-only'; it is not technically enforced by the script. 2) A's output (diffs, code) is passed into B as plain text — do not use this on sensitive/private code or secrets unless you trust the models/providers. 3) The helper script is small and only prints JSON payloads; still review the script locally before running. 4) If you need stronger guarantees (e.g., enforce reviewer cannot write files, avoid exposing whole files), add procedural checks or policy controls in your environment. If any of these concerns are unacceptable, avoid using the skill or run it only on non-sensitive repositories.

Like a lobster shell, security has layers — review code before you run it.

latestvk975t76dz8s2bny5fhwsm8e15583mfv9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments