ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

code-reviewer

Code review automation for TypeScript, JavaScript, Python, Go, Swift, Kotlin. Analyzes PRs for complexity and risk, checks code quality for SOLID violations...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 176 · 1 current installs · 1 all-time installs
byAlireza Rezvani@alirezarezvani
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code-reviewer name/description aligns with the included Python scripts (PR analysis, quality checks, report generation). However the skill metadata declares no required binaries or environment variables while the shipped scripts clearly expect a Python runtime and call the git CLI via subprocess. The absence of a declared dependency on git/Python and lack of a homepage/source repository is an incoherence worth flagging.
Instruction Scope
SKILL.md instructs the agent to run the included scripts against a repository path (diffs, commit messages, file contents). The instructions stay within the stated purpose: reading repository files, diffs and generating reports. They do not instruct reading unrelated system files or exfiltrating data to external endpoints.
Install Mechanism
There is no install specification; the skill is instruction+script based and does not download external artifacts. This minimizes install-time risk. The shipped scripts will be executed locally when invoked.
!
Credentials
The skill declares no required environment variables or credentials, and the scripts do not appear to access secrets managers or remote APIs. However, they will read repository contents (including any secrets stored in the repo) and call the git CLI; the metadata should have declared required binaries (git, Python). The missing declaration is an inconsistency that could lead to unexpected failures or hidden assumptions.
Persistence & Privilege
always:false and no install hooks are present. The skill does not request permanent system presence or modify other skills. It executes local scripts and subprocesses but does not autonomously persist credentials or reconfigure the agent.
What to consider before installing
This skill contains reasonably straightforward Python scripts that analyze a repository and produce reports — that matches its description — but exercise caution before installing: - Source verification: there is no homepage or upstream repo listed. Prefer skills with a known source or inspect the full script contents yourself. - Runtime dependencies: the metadata claims no required binaries, but the scripts call the git CLI and are Python programs. Ensure your environment has Python and git available; the skill should have declared those dependencies. - Data exposure: the tools read file contents and diffs (they will see any secrets in a repo). They do not appear to transmit data externally, but you should review the scripts for any network calls before running them on sensitive repositories. - Local testing: run the scripts locally on a non-sensitive repository first (python scripts/pr_analyzer.py . --json) to verify behavior and outputs. - Autonomy: the skill can be invoked autonomously by the agent (normal default). If you are concerned, only allow manual invocation or inspect/disable autonomous invocation settings. If you want to proceed, review the three included Python files for any unexpected subprocess or network usage and confirm git/Python are available; if you cannot verify the source, treat it as untrusted code and run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97f8hy4nh2jfqxnf29wmd9ffn82qh33

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Code Reviewer

Automated code review tools for analyzing pull requests, detecting code quality issues, and generating review reports.

Table of Contents

Tools

PR Analyzer

Analyzes git diff between branches to assess review complexity and identify risks.

# Analyze current branch against main
python scripts/pr_analyzer.py /path/to/repo

# Compare specific branches
python scripts/pr_analyzer.py . --base main --head feature-branch

# JSON output for integration
python scripts/pr_analyzer.py /path/to/repo --json

What it detects:

  • Hardcoded secrets (passwords, API keys, tokens)
  • SQL injection patterns (string concatenation in queries)
  • Debug statements (debugger, console.log)
  • ESLint rule disabling
  • TypeScript any types
  • TODO/FIXME comments

Output includes:

  • Complexity score (1-10)
  • Risk categorization (critical, high, medium, low)
  • File prioritization for review order
  • Commit message validation

Code Quality Checker

Analyzes source code for structural issues, code smells, and SOLID violations.

# Analyze a directory
python scripts/code_quality_checker.py /path/to/code

# Analyze specific language
python scripts/code_quality_checker.py . --language python

# JSON output
python scripts/code_quality_checker.py /path/to/code --json

What it detects:

  • Long functions (>50 lines)
  • Large files (>500 lines)
  • God classes (>20 methods)
  • Deep nesting (>4 levels)
  • Too many parameters (>5)
  • High cyclomatic complexity
  • Missing error handling
  • Unused imports
  • Magic numbers

Thresholds:

IssueThreshold
Long function>50 lines
Large file>500 lines
God class>20 methods
Too many params>5
Deep nesting>4 levels
High complexity>10 branches

Review Report Generator

Combines PR analysis and code quality findings into structured review reports.

# Generate report for current repo
python scripts/review_report_generator.py /path/to/repo

# Markdown output
python scripts/review_report_generator.py . --format markdown --output review.md

# Use pre-computed analyses
python scripts/review_report_generator.py . \
  --pr-analysis pr_results.json \
  --quality-analysis quality_results.json

Report includes:

  • Review verdict (approve, request changes, block)
  • Score (0-100)
  • Prioritized action items
  • Issue summary by severity
  • Suggested review order

Verdicts:

ScoreVerdict
90+ with no high issuesApprove
75+ with ≤2 high issuesApprove with suggestions
50-74Request changes
<50 or critical issuesBlock

Reference Guides

Code Review Checklist

references/code_review_checklist.md

Systematic checklists covering:

  • Pre-review checks (build, tests, PR hygiene)
  • Correctness (logic, data handling, error handling)
  • Security (input validation, injection prevention)
  • Performance (efficiency, caching, scalability)
  • Maintainability (code quality, naming, structure)
  • Testing (coverage, quality, mocking)
  • Language-specific checks

Coding Standards

references/coding_standards.md

Language-specific standards for:

  • TypeScript (type annotations, null safety, async/await)
  • JavaScript (declarations, patterns, modules)
  • Python (type hints, exceptions, class design)
  • Go (error handling, structs, concurrency)
  • Swift (optionals, protocols, errors)
  • Kotlin (null safety, data classes, coroutines)

Common Antipatterns

references/common_antipatterns.md

Antipattern catalog with examples and fixes:

  • Structural (god class, long method, deep nesting)
  • Logic (boolean blindness, stringly typed code)
  • Security (SQL injection, hardcoded credentials)
  • Performance (N+1 queries, unbounded collections)
  • Testing (duplication, testing implementation)
  • Async (floating promises, callback hell)

Languages Supported

LanguageExtensions
Python.py
TypeScript.ts, .tsx
JavaScript.js, .jsx, .mjs
Go.go
Swift.swift
Kotlin.kt, .kts

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…