Cuihua Code Reviewer

v1.0.0

AI-powered code review assistant for OpenClaw agent developers. Automatically analyzes code quality, detects security vulnerabilities, performance issues, an...

⭐ 0· 117·0 current·0 all-time

by@supermario11

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for supermario11/cuihua-code-reviewer.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Cuihua Code Reviewer" (supermario11/cuihua-code-reviewer) from ClawHub.
Skill page: https://clawhub.ai/supermario11/cuihua-code-reviewer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cuihua-code-reviewer

ClawHub CLI

Package manager switcher

npx clawhub@latest install cuihua-code-reviewer

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name, description, SKILL.md and included analyzer.js/test files are coherent for a code-reviewer. However the declared requirements list only 'git' while the shipped implementation is a Node script (analyzer.js) — the skill does not declare 'node' or the Node runtime as a required binary. Examples also reference environment variables (e.g., SLACK_WEBHOOK_URL) and features (API server mode, CI/CD integration) that are not declared in requires.env. These omissions are inconsistent with the stated capabilities and should be corrected or explained.

Instruction Scope

Most runtime instructions stay within the code-review scope (reading files, analyzing, generating reports). But examples and SKILL.md include steps that transmit reports externally (Slack webhook example, CI job that uploads reports, an API server example that accepts code over HTTP), and the SKILL.md claims ‘Runs locally - code never leaves your machine’ while also documenting ways to send data to external endpoints. The skill's runtime code (analyzer.js) reads arbitrary files via fs APIs and example scripts show analyzing entire directories and scheduled reviews — which is expected for a reviewer but increases blast radius if paired with external reporting/webhook configuration. Also SKILL.md mentions using OpenClaw's 'read' tool but the implementation uses fs.readFileSync directly — a minor mismatch in how file access is done.

✓

Install Mechanism

There is no external install step that downloads remote archives or runs scripts from arbitrary URLs — the package is instruction+source included in the bundle (analyzer.js, examples, tests). That lowers install-time supply-chain risk. No brew/npm/go downloads or extract-from-URL instructions are present.

Credentials

The skill declares no required environment variables, yet documentation and example code reference process.env.SLACK_WEBHOOK_URL and other env-driven behavior (e.g., sending notifications). The analyzer also scans for hardcoded secrets and contains test code with a fake OpenAI key; that's expected. But lack of declared env requirements (and lack of a declared primary credential) is an omission: if you wire up webhooks or CI, sensitive tokens could be used to transmit data externally. Also omission of 'node' as a required binary is inconsistent with the Node-based analyzer implementation.

✓

Persistence & Privilege

The skill is not marked always:true and does not request persistent platform privileges. It does not modify other skills. Examples include installing a pre-commit hook and running scheduled cron jobs — those are user actions and not automatic. Autonomous invocation is enabled by default (disable-model-invocation: false) which is standard; this combined with the above concerns increases impact if the skill were malicious, but on its own is not unusual.

What to consider before installing

This package appears to be a legitimate local code-review tool, but there are a few red flags to check before you install or run it: 1) Runtime mismatch: the bundle contains a Node script (analyzer.js) but the skill only lists 'git' as a required binary — ensure your environment has Node and that the skill author updates requirements. 2) Undeclared external integrations: examples show posting reports to Slack (SLACK_WEBHOOK_URL) and running an HTTP API server; the skill does not declare any required env vars for these. Only provide webhooks or tokens if you trust the skill and its source. 3) Confirm source and provenance: the registry entry has no homepage and an unknown owner; if you can't audit the code yourself, treat it as higher risk. 4) Audit the code: review analyzer.js and EXAMPLES.md locally before running; pay attention to any code paths that open network connections, spawn processes, or write files outside the project. 5) Run in a restricted environment first: test in an isolated/sandboxed repo or container, avoid giving CI secrets or webhooks until you're confident. 6) If you plan to enable pre-commit hooks or scheduled runs, inspect and control those hooks yourself rather than automatically applying them. If you want me to, I can: list the exact places analyzer.js performs file or network I/O, point out any lines that would execute child processes, or produce a minimal checklist for safely auditing and running this skill.

✗

analyzer.js:109

Shell command execution detected (child_process).

✗

analyzer.js:143

Dynamic code execution detected.

✗

test-bad-code.js:17

Dynamic code execution detected.

test-bad-code.js:35

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsgit

latestvk97ark5fh7bhdvx1tw2197241183hx0t

117downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

code-reviewer - AI Code Review Assistant 🔍

Built for AI agent developers who care about code quality.

An intelligent code review assistant that analyzes your codebase and provides detailed, actionable feedback on:

🛡️ Security vulnerabilities
⚡ Performance bottlenecks
🧹 Code smells and anti-patterns
✨ Best practices adherence
📚 Documentation quality

🎯 Why code-reviewer?

When building AI agents with OpenClaw, code quality matters more than ever:

Agents often run with elevated permissions
Security vulnerabilities can be exploited by malicious prompts
Performance issues compound when agents loop
Maintainability is critical for evolving agent behavior

code-reviewer understands these unique challenges and provides tailored advice.

🚀 Quick Start

Review a single file

Tell your agent:

"Review the code quality of src/agent.js"

Review an entire directory

"Analyze all Python files in ./skills/my-skill/"

Get a detailed report

"Generate a full code review report for the current project"

📋 What Gets Checked

Security 🛡️

Injection vulnerabilities - Command injection, path traversal, eval usage
Sensitive data exposure - Hardcoded secrets, API keys in code
Unsafe dependencies - Known CVEs in package.json/requirements.txt
Permission issues - Overly broad file access, unnecessary privileges

Performance ⚡

Inefficient algorithms - O(n²) when O(n) exists, unnecessary loops
Memory leaks - Unreleased resources, closure traps
Blocking operations - Sync file I/O in async contexts
Redundant computations - Repeated calculations, unnecessary allocations

Code Quality 🧹

Code smells - Long functions, deep nesting, duplicated code
Naming conventions - Inconsistent or unclear variable names
Dead code - Unused imports, unreachable statements
Magic numbers - Hardcoded values without explanation

Best Practices ✨

Error handling - Unhandled promises, swallowed exceptions
Testing - Missing tests, low coverage areas
Documentation - Missing docstrings, unclear comments
Type safety - Missing type annotations (TypeScript/Python)

🎨 Output Format

Terminal Summary

🔍 Code Review Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📁 Files analyzed: 12
⚠️  Issues found: 8

Severity Breakdown:
  🔴 Critical: 1
  🟠 High:     2
  🟡 Medium:   3
  🟢 Low:      2

Top Issues:
  1. [CRITICAL] SQL injection vulnerability in query.js:45
  2. [HIGH] Hardcoded API key in config.js:12
  3. [HIGH] Memory leak in worker.js:78

💡 Run with --detailed for full report

Detailed Markdown Report

Saved to code-review-report.md:

# Code Review Report

**Generated**: 2026-03-24 20:30 PDT
**Project**: my-agent-project
**Files Reviewed**: 12
**Total Issues**: 8

## 🔴 Critical Issues (1)

### 1. SQL Injection Vulnerability
**File**: `src/query.js:45`
**Severity**: CRITICAL

**Issue**:
Unsanitized user input directly interpolated into SQL query.

**Code**:
\`\`\`javascript
const query = `SELECT * FROM users WHERE id = ${userId}`;
\`\`\`

**Impact**:
Allows arbitrary SQL execution. Attacker could read/modify database.

**Fix**:
Use parameterized queries:
\`\`\`javascript
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
\`\`\`

---

## 🟠 High Priority Issues (2)

### 2. Hardcoded API Key
**File**: `config.js:12`
...

⚙️ Configuration

Create .codereview.json in your project root for custom rules:

{
  "severity": {
    "min": "medium",
    "failOnCritical": true
  },
  "ignore": {
    "files": ["*.test.js", "dist/*"],
    "rules": ["magic-numbers"]
  },
  "languages": ["javascript", "python"],
  "output": {
    "format": "markdown",
    "path": "./reports/code-review.md"
  }
}

🧠 How It Works

Parse - Reads your code files using OpenClaw's read tool
Analyze - Uses AI to understand code structure and intent
Detect - Applies security, performance, and quality rules
Report - Generates actionable findings with fix suggestions
Learn - Adapts to your codebase patterns over time

🌟 Features

Multi-Language Support

✅ JavaScript / TypeScript
✅ Python
✅ Go
✅ Rust
✅ Shell scripts
🔄 More languages coming soon

Smart Context Awareness

Understands your project type:

OpenClaw skills and plugins
Express/Fastify APIs
React/Vue frontends
CLI tools
Lambda functions

Incremental Reviews

Reviews only changed files in Git:

"Review my latest changes"

Team Integration

Share review reports with your team:

Export to GitHub PR comments
Slack/Discord notifications
Email summaries

💡 Usage Examples

Example 1: Pre-commit Review

Agent: Review all staged files before I commit

Output:

✅ All clear! No critical issues found.
💡 3 minor suggestions:
  - Consider adding error handling in auth.js:23
  - Variable 'temp' could use a better name in utils.js:56
  - Add JSDoc for function processData() in api.js:12

Example 2: Security Audit

Agent: Run a security audit on ./src/

Output:

🛡️ Security Audit Results
━━━━━━━━━━━━━━━━━━━━━━━

🔴 1 critical vulnerability found
🟠 2 high-risk issues detected

Details:
1. [CRITICAL] Command injection in exec.js
2. [HIGH] Sensitive data in logs
3. [HIGH] Missing input validation

📄 Full report: security-audit-2026-03-24.md

Example 3: Performance Check

Agent: Find performance bottlenecks in worker.js

Output:

⚡ Performance Analysis
━━━━━━━━━━━━━━━━━━━━━

Found 3 optimization opportunities:

1. Line 45: O(n²) loop - use Map for O(n)
2. Line 67: Sync file read blocks event loop
3. Line 89: Regex compiled in hot path

Estimated improvement: 85% faster

🔒 Privacy & Security

✅ Runs locally - Your code never leaves your machine
✅ No telemetry - Zero data collection
✅ Open source - Audit the code yourself
✅ Safe analysis - Never executes your code

📦 Installation

Via ClawHub (Recommended)

clawhub install code-reviewer

Manual Installation

git clone https://github.com/your-username/code-reviewer
cd code-reviewer
clawhub publish .

🤝 Contributing

Found a bug? Have a feature idea?

🐛 Report issues: GitHub Issues
💡 Suggest features: Discussions
🔧 Submit PRs: Contributing Guide

📜 License

MIT License - see LICENSE for details.

🙏 Acknowledgments

Built with ❤️ by 翠花 for the OpenClaw community.

Special thanks to:

OpenClaw team for the amazing framework
ClawHub for making skill distribution easy
Early adopters for feedback and bug reports

📞 Support

📖 Documentation: Full docs
💬 Discord: Join #code-reviewer
📧 Email: support@your-domain.com

Made with 🌸 by 翠花 | ClawHub Pioneer

Comments

Loading comments...