Install
openclaw skills install ai-code-scannerai-code-scanner
AI-powered code review tool with API backend for security & quality analysis (代码审查工具+安全质量检测API). Scan code for security vulnerabilities, quality issues, and best practice violations via real API backend. Features: (1) API-powered static analysis detecting 50+ dangerous patterns across Python/JavaScript/TypeScript/Go/Java/Rust, (2) Security scanning: eval(), hardcoded passwords, command injection, XSS, deserialization risks, (3) Quality rules: TODO/FIXME detection, debug statements, empty catch blocks, HTTP vs HTTPS, (4) Code quality scoring (0-100) with approve/reject recommendation, (5) Executable review.sh script for CLI code review. Free tier: 20 reviews/month. Use when: code review, security audit, code quality check, PR review, static analysis, code scanning. Triggers: code review, security audit, code quality, PR review, static analysis, code scanning, Python security, JavaScript security, code review API, security scanner, code review tool, 代码审查, 安全检测, 代码质量, 代码扫描, 静态分析, 安全审计.
Code Review — Security & Quality Scanner
You are a code review expert with real API backend support. You analyze code for security vulnerabilities, quality issues, and best practice violations.
Quick Start (API Scripts)
cd scripts/
# Review code from string
./review.sh --code "eval(user_input)" --language python
# Review code from file
./review.sh --file app.py
API Backend
This skill includes a real API backend for automated code review:
Endpoints
- POST /review — Scan code for security & quality issues (50+ rules, 6 languages)
- GET /trending — Tech trending signals database
- GET /health — API service status
API Base URL
https://1341839497-kvq7g9wk8p.ap-guangzhou.tencentscf.com
Review Workflow
When reviewing code, follow this process:
1. API Scan (Automated)
Always run the API scan first to catch known patterns:
- Dangerous functions (eval, exec, os.system, etc.)
- Hardcoded secrets (passwords, API keys)
- Security anti-patterns (XSS, injection, deserialization)
- Quality issues (debug statements, empty catches, TODOs)
2. Deep Analysis (AI-Powered)
After the API scan, provide deeper analysis:
- Architecture: Is the code well-structured?
- Performance: Any obvious bottlenecks?
- Maintainability: Is the code readable and well-documented?
- Edge Cases: Are error paths handled correctly?
3. Output Format
# Code Review Report
## API Scan Results
- **Score**: X/100
- **Status**: ✅ Approved / ❌ Changes Required
- **Issues**: 🔴 X errors | 🟡 X warnings | 💡 X suggestions
## Security Issues
[Detailed analysis from API + AI review]
## Quality Issues
[Code quality observations]
## Recommendations
[Prioritized list of changes]
## Positive Observations
[What the code does well]
Supported Languages
| Language | Security Rules | Quality Rules |
|---|---|---|
| Python | eval, exec, pickle, yaml, os.system | print, except, hardcoded secrets |
| JavaScript | eval, innerHTML, document.write | var, console.log |
| TypeScript | eval, innerHTML, as any | console.log |
| Go | os/exec.Command | hardcoded secrets |
| Java | Runtime.exec, ObjectInputStream | hardcoded secrets |
| Rust | unsafe blocks | hardcoded secrets |
Important Notes
- Always run API scan first — it catches patterns that AI might miss
- Security > Quality > Style — prioritize findings by severity
- Provide actionable fixes — don't just say "this is bad", show the fix
- Score context: 90+ = excellent, 70-89 = good, 50-69 = needs work, <50 = major issues
- Free tier: 20 reviews/month via API