code-review-fix
Automatically review code for bugs, security, style, and performance issues, provide fix suggestions, and optionally apply repairs with explanations.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 564 · 3 current installs · 4 all-time installs
by@landyun
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The repository files (analyzer, main, billing) match the stated purpose (code review + optional auto-fix + billing). However, billing is implemented with a hard-coded BILLING_API_KEY and SKILL_ID in lib/billing.ts instead of requiring the publisher/user to supply credentials, which is unusual and worth questioning.
Instruction Scope
The runtime instructions in SKILL.md are scoped to code review, but scripts/main.ts reads arbitrary files in the current directory, writes a local state file (.code-review-fix-state.json), and will send a user identifier (derived from process.env.SKILLPAY_USER_ID or the local OS username) to an external billing service. SKILL.md/README do not clearly call out the sending of local username or creation of state files.
Install Mechanism
There is no install spec (instruction-only in registry) which minimizes install risk, but package.json and scripts assume the 'bun' runtime (start/dev scripts use bun). The registry metadata declared no required binaries, so the runtime assumption about Bun is an inconsistency that may break execution. No downloaded external archives are used.
Credentials
The skill declares no required env vars, but contains a hard-coded billing API key (BILLING_API_KEY) in lib/billing.ts. Embedding a long-lived secret in code means the publisher's key will be used for all billing calls; this is disproportionate and risky. The code also optionally reads process.env.SKILLPAY_USER_ID to form user IDs, which is reasonable but not declared in metadata.
Persistence & Privilege
The skill does not request permanent 'always' privilege and does not modify other skills. It does create a state file in the working directory (.code-review-fix-state.json). Because the skill can be invoked autonomously by agents (default), network-enabled billing calls combined with the embedded key increase operational risk if invoked without user oversight.
What to consider before installing
This skill is functionally coherent but contains a hard-coded billing API key and will call an external billing service, sending a user identifier (your local username by default) and creating a local state file. Before installing: (1) review lib/billing.ts and decide whether you trust the billing endpoint and the embedded key — ideally replace it with your own key or remove automatic billing; (2) be aware the skill will create .code-review-fix-state.json in the working directory and may transmit your OS username unless you set SKILLPAY_USER_ID; (3) run it in an isolated environment (not as root) and verify network activity; (4) ensure you have Bun or adapt the scripts to your runtime; (5) if you do not trust the publisher, do not install or run the skill as-is.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Code Review & Fix / 智能代码审查与修复
自动审查代码问题、提供修复建议、直接修复代码 —— 解决开发者"代码质量"和"bug修复"的高频痛点。
Usage / 使用方法
# 审查当前文件
/code-review
# 审查并自动修复
/code-review --fix
# 只检查安全问题
/code-review --security
# 学习模式(附带解释)
/code-review --explain
Features / 功能特性
- ✅ 代码问题检测(bug、安全、性能)
- ✅ 代码风格检查
- ✅ 自动修复
- ✅ 解释教育模式
- ✅ 多语言支持
Pricing / 定价
- 前3次免费
- 单次调用:0.001 USDT
- 更多套餐见 skillpay.me
Files
9 totalSelect a file
Select a file to preview.
Comments
Loading comments…