ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Reviewer

v1.0.0

Automated code review, quality gates, and PR analysis. Integrates with GitHub, GitLab, Bitbucket. Enforce style guides, detect bugs, security vulnerabilities...

0· 175·0 current·0 all-time
byFuhaolin@fuczy
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims full integration with GitHub/GitLab/Bitbucket and can auto-approve or block merges, but declares no required environment variables or credentials and lists unexpected binaries. Example mismatches: Quick Start uses a 'clawhub' CLI, but required bins list 'openclaw'/'github' (not 'clawhub' or 'gh'). Integrating and performing actions on repos inherently requires API credentials or a GitHub App — those are not declared.
!
Instruction Scope
SKILL.md instructs the agent to install/configure the reviewer on repos, post review comments, add labels, auto-approve PRs, and block merges. These instructions imply reading/writing repo metadata and taking privileged actions (skipping required reviewers). The doc references ~/.openclaw config files and running 'clawhub code-reviewer install', but does not specify how credentials are obtained or limited. The skill's instructions therefore request broad capabilities without defining required auth or safety limits.
Install Mechanism
No install spec (instruction-only), so nothing will be downloaded or written by an installer step. This lowers risk compared to packaged installs, but leaves the runtime behavior entirely governed by the prose instructions — which are inconsistent and incomplete.
!
Credentials
The skill declares zero required environment variables or primary credential, yet its functionality (integrating with repos, posting comments, auto-approving, blocking merges) necessarily requires repo credentials or a Git provider app. This absence is disproportionate and unexplained. The skill also references detection of tokens (ghp_, xox*, AKIA...) but doesn't state how secrets or tokens will be provided or protected.
Persistence & Privilege
always:false (no forced inclusion) which is appropriate. Autonomous invocation is allowed (default) — combined with the skill's implied ability to approve/merge PRs this could be powerful if credentials are supplied. The skill stores configuration under ~/.openclaw/code-reviewer (expected), but there is no mention of limiting or auditing the permissions it would use when acting on repositories.
What to consider before installing
What to check before installing: - Ask the publisher to explain the auth model: does this use a GitHub App, an OAuth token, or personal access tokens? Request a minimal-scoped GitHub App option and explicit list of required scopes (read-only for comments; write/merge only if strictly necessary). - Resolve the binary/CLI mismatch: SKILL.md examples use 'clawhub', but metadata lists 'openclaw' and 'github'—confirm the actual CLI and its provenance before running it. - Require explicit install steps and a signed release or well-known distribution channel (not an unverified binary you must download manually). - Don’t grant admin/merge rights until you can audit the code or run the skill in a restricted, test repo. Prefer provisioning a service account with least privilege and audit logs. - Verify how the skill stores and protects repository tokens (where on disk, file permissions, rotation policy). - If you need this capability but don’t trust the vendor yet, run the skill in read-only mode (comments only) on a sandbox repo and monitor actions. If the publisher provides clear, coherent install docs that declare the exact credentials and minimum required scopes (or a GitHub App with install tokens), and fixes the CLI/binary inconsistencies, this assessment could change to benign.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔍 Clawdis
Binsopenclaw, git, github
latestvk97489tr3t5a87ksbcc27jrek983267j
175downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
Fuhaolin@fuczy
latest
Download

Code Reviewer Skill

Automate code review. Ship faster with confidence.

When to Use

USE this skill when:

  • "Review all my pull requests automatically"
  • "Enforce our coding standards"
  • "Detect security vulnerabilities in PRs"
  • "Block performance anti-patterns"
  • "Auto-approve trivial changes"
  • "Generate review comments on PRs"
  • "Ensure no secrets or credentials committed"

When NOT to Use

DON'T use this skill when:

  • Architecture-level changes (needs senior human review)
  • Complex business logic rewrites
  • Security-critical changes (requires human approval anyway)
  • Initial project setup (manual setup needed)

💪 The Developer Pain Point

Manual code review sucks:

  • Context switching: 15 min per PR → 5 hours/week
  • Missing subtle bugs: production incidents
  • Inconsistent standards: code quality varies
  • Slow feedback: developers wait hours/days
  • Review fatigue: important issues get missed

Our solution: Instant, consistent, comprehensive reviews Time saved: 5-10 hours/week per developer Value: $300-600/week at $60/hr → $12,000-24,000/month per dev team

Pricing: $29-99/month per repo ROI: Hours saved in first week

Features

1. Style & Linting Enforcement

rules:
  - style:
      tools: ["eslint", "prettier", "rubocop", "black", "gofmt"]
      auto_fix: true
      comment: |
        Style issues found. Run `pnpm run lint:fix` to auto-fix.

  - complexity:
      max_cyclomatic: 10
      max_nesting: 4
      comment: |
        Function too complex (cyclomatic: {{complexity}}/10). Consider refactoring.

  - duplication:
      max_lines_duplicate: 10
      ignore_tests: true

2. Bug Detection

bugs:
  - null_pointer:
      languages: ["java", "csharp", "kotlin"]
      severity: "high"

  - resource_leak:
      languages: ["go", "rust", "c++"]
      severity: "critical"

  - race_condition:
      languages: ["go", "java", "javascript"]
      patterns: ["mutex", "atomic", "promise"]

  - off_by_one:
      languages: ["c", "cpp", "java"]
      patterns: ["loop_index", "array_access"]

  - improper_error_handling:
      languages: ["python", "javascript", "ruby"]
      patterns: ["try-catch", "throw", "except"]

3. Security Scanning

security:
  - secrets_detection:
      patterns:
        - aws_secret_key: "AKIA[0-9A-Z]{16}"
        - slack_token: "xox[baprs]-[0-9a-zA-Z-]+"
        - github_token: "ghp_[0-9a-zA-Z]{36}"
        - private_key: "-----BEGIN [A-Z ]+ PRIVATE KEY-----"
      action: "fail_ci"  # Block merge
      comment: |
        🚨 **SECRET DETECTED**
        Never commit credentials! Use environment variables or secret manager.
        This PR cannot be merged until removed.

  - sql_injection:
      patterns: ["exec(.*SQL)", "raw_query(.*)", "format(.*SELECT)"]
      languages: ["python", "php", "javascript"]
      severity: "critical"

  - xss:
      patterns: ["innerHTML", "document.write", "dangerouslySetInnerHTML"]
      languages: ["javascript", "typescript", "react"]
      severity: "high"

  - path_traversal:
      patterns: ["__dirname+", "os.path.join(user_input)"]
      languages: ["node", "python"]
      severity: "high"

  - license_compliance:
      check: ["commercial_use", "copyleft", "patent_risk"]
      block_merge: true

4. Performance Anti-Patterns

performance:
  - n+1_queries:
      languages: ["ruby", "javascript", "python"]
      frameworks: ["rails", "django", "express"]
      comment: |
        N+1 query detected! Use eager loading (`.includes()` or `select_related`).

  - inefficient_loop:
      patterns: ["for(i=0;i<list.length;i++)", "for key in dict:"]
      suggest: "List comprehension / map / filter"

  - large_object_alloc:
      pattern: "new.*inside.*loop"
      comment: "Allocating object in loop → move outside"

  - blocking_io:
      pattern: "await fetch|sync_http_call"
      suggest: "Use async / non-blocking"

5. Architecture & Design

architecture:
  - god_object:
      max_methods: 20
      max_lines: 500
      comment: |
        This class is too large ({{methods}} methods, {{lines}} LOC).
        Consider splitting responsibilities.

  - feature_envy:
      pattern: "class A using data from class B extensively"
      suggest: "Move method to class B"

  - circular_dependency:
      modules: ["a", "b", "c"]
      severity: "high"

Quick Start

1. Connect Repository

# Install reviewer on a GitHub repo
clawhub code-reviewer install --repo github.com/yourorg/yourrepo

# Configure (opens editor)
clawhub code-reviewer config --repo github.com/yourorg/yourrepo

2. Enable Rules

# ~/.openclaw/code-reviewer/rules.yaml
include:
  - "security-high"
  - "style"
  - "performance"

exclude:
  - "performance/n_plus_one"  # Some false positives
    when: "test_files_only"

severity_overrides:
  - "sql_injection": "block"  # Fail CI
  - "style/variable_name": "comment"  # Just warn

3. Configure Actions

actions:
  on_pr_open:
    - "review"  # Post review comments
    - "label"  # Add labels (needs-work / safe / security)

  on_pr_update:
    - "review"  # Re-review

  auto_approve:
    when:
      - "all_checks_pass == true"
      - "author in [maintainer_team]"
      - "changed_files < 5"
    # Skip required reviewers

  block_merge:
    when:
      - "security_issues_found"
      - "test_coverage < 80%"
    message: |
      ❌ Merge blocked:
      - {{security_issues_found}} security issues
      - Test coverage {{test_coverage}}% < 80%
      Fix before merging.

GitHub App Setup

# Create GitHub App (one time)
clawhub code-reviewer create-app \
  --name "Code Reviewer" \
  --webhook-url "https://api.clawhub.com/webhooks/github" \
  --permissions "contents=read, pull_requests=write"

# Install on repositories
clawhub code-reviewer install \
  --app-id 12345 \
  --repo github.com/yourorg/yourrepo

# Or install on all org repos
clawhub code-reviewer install-org \
  --org yourorg \
  --app-id 12345

Review Comments Example

What reviewers see in PR:

🔍 **Code Review Summary**

✅ **Passed**: 12 checks
⚠️  **Warnings**: 3
❌  **Failed**: 1 (blocking)

---

### Security 🛡️

- ❌ **Hardcoded secret** in line 42 (`config.py`)
  > Remove immediately and rotate credential.

### Performance ⚡

- ⚠️  **N+1 query** in `user_controller.rb:28`
  > Use `.includes(:profile)` to load associated records in one query.

### Style 🎨

- ⚠️  **Variable name** `x` is too short (line 15)
  > Use descriptive names; min length 3 chars.

- ⚠️  **Missing trailing comma** in multi-line array (line 78)

---

💡 **Suggestions**

1. Run `./gradlew test` → 3 tests failing
2. Code coverage: 75% (target: 80%)
3. Consider adding unit tests for `PaymentProcessor` class

---

🔒 **Auto-approval status**: ❌ Not eligible (security issue blocks)

Custom Rules

Write Your Own (YAML)

custom_rules:
  - id: "no_todo_comments"
    pattern: "TODO|FIXME|HACK"
    message: "Remove technical debt comment before merging"
    severity: "warning"

  - id: "no_debugger"
    pattern: "debugger|pdb.set_trace|console.log"
    message: "Remove debugging code"
    severity: "fail"

  - id: "no_console_in_prod"
    pattern: "console.log"
    files: "src/**/*.js"
    except: "tests/**"
    severity: "warning"

  - id: "feature_flag_required"
    pattern: "if.*new_feature"
    message: "Wrap in feature flag: `if (flags.newFeature)`"
    severity: "warning"

  - id: "require_tests"
    condition: "added_lines > 50 && test_files_modified == 0"
    message: "Large change without tests. Add tests for new code."
    severity: "fail"

Python Rule Example

# rules/python/no_assert_in_prod.py
from codereviewer import Rule

class NoAssertInProd(Rule):
    def check(self, file, line):
        if line.contains("assert ") and not file.path.contains("test"):
            return self.fail("Remove assert in production code")

GitHub Actions Integration

.github/workflows/code-review.yml:

name: Code Review

on:
  pull_request:
    branches: [main, develop]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Run Code Reviewer
        uses: clawhub/code-reviewer@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          config: .codereview.yaml

GitLab CI/CD

.gitlab-ci.yml:

code-review:
  stage: test
  script:
    - clawhub code-reviewer run --config .codereview.yaml
  artifacts:
    reports:
      code-review: review-report.json

Slack Notifications

notifications:
  slack:
    channel: "#code-reviews"
    on:
      - "security_issue"
      - "pr_blocked"
      - "pr_approved"
    format:
      blocks:
        - type: "header"
          text: "{{pr_title}}"
        - type: "section"
          text: "{{review_summary}}"
        - type: "actions"
          elements:
            - type: "button"
              text: "View PR"
              url: "{{pr_url}}"

Pricing

Open Source (Free)

  • Public repos: free
  • Community rules only
  • Basic style checks

Pro ($29/mo per repo)

  • Private repos
  • Custom rules
  • Security scanning
  • Slack/Teams alerts
  • Unlimited reviewers

Business ($99/mo per org)

  • All Pro features
  • Enterprise security rules
  • SSO / SAML
  • Audit logs
  • Priority support

Enterprise ($499+/mo)

  • Unlimited everything
  • Custom rule writing service
  • On-premise deployment
  • SLA guarantees
  • Dedicated engineer

Competitive Comparison

FeatureReviewDogSonarQubeCodeClimateCode Reviewer
PriceFree (self-host)$150/mo$49/mo$29/mo
GitHub integration
Custom rules⚠️ limitedunlimited
Auto-approve
AI suggestions
Setup timehoursdayshoursminutes

Launch Plan

  1. Build core review engine
  2. Publish 50+ built-in rules
  3. Create rule marketplace (community contributed)
  4. Add AI-powered suggestions (GPT-4)
  5. Support Bitbucket, Azure DevOps
  6. Publish to GitHub Marketplace
  7. Partner with OpenClaw for integration

Automate code reviews. Ship faster, sleep better. 🔍✨

Comments

Loading comments...