Fastapi Code Review

v1.1.1

Reviews FastAPI code for routing patterns, dependency injection, validation, and async handlers. Use when reviewing FastAPI apps, checking APIRouter setup, D...

⭐ 0· 211·1 current·1 all-time

byKevin Anderson@anderskev

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anderskev/fastapi-code-review.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Fastapi Code Review" (anderskev/fastapi-code-review) from ClawHub.
Skill page: https://clawhub.ai/anderskev/fastapi-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install fastapi-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install fastapi-code-review

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the SKILL.md and reference files. The skill only asks the agent to inspect FastAPI code and follow review gates; there are no unrelated env vars, binaries, or installs requested.

ℹ

Instruction Scope

Runtime instructions explicitly tell the agent to open repository files, anchor findings to file:line, read handler bodies, and search the repo for Depends/Security/etc. That is appropriate for a code-review skill but means the agent must be allowed to read the project's source; also the SKILL.md references ../review-verification-protocol/SKILL.md which is not present in the provided manifest (missing reference).

✓

Install Mechanism

No install spec and no code files — instruction-only skill. This minimizes risk because nothing is written to disk or fetched at install time.

✓

Credentials

The skill declares no environment variables, credentials, or config paths. It does not request secrets or external service tokens; this is proportional to a static code-review assistant.

✓

Persistence & Privilege

always:false (not forced into every agent run), user-invocable:true, and model-invocation allowed (normal). Note: because the skill reads repo files when run, allowing autonomous invocation increases the potential impact if combined with other risky skills, but by itself this is expected.

Assessment

This skill appears to do exactly what it says: guide a FastAPI code review by reading source files. It's low-risk because it has no install or secret requirements, but be aware it needs read access to your repository to operate. Before installing/run: (1) ensure you don't expose secrets in the repository (API keys, credentials, .env files), (2) confirm the missing referenced file (review-verification-protocol) if you rely on that gate, and (3) if you allow autonomous invocation, restrict agent permissions or run reviews on a sanitized copy of the codebase.

Like a lobster shell, security has layers — review code before you run it.

latestvk973k2q9xkfr88nfkjd4cz41ds85ag36

211downloads

0stars

2versions

Updated 6d ago

v1.1.1

MIT-0

FastAPI Code Review

Quick Reference

Issue Type	Reference
APIRouter setup, response_model, status codes	references/routes.md
Depends(), yield deps, cleanup, shared deps	references/dependencies.md
Pydantic models, HTTPException, 422 handling	references/validation.md
Async handlers, blocking I/O, background tasks	references/async.md

Review Checklist

Valid Patterns (Do NOT Flag)

These are idiomatic FastAPI patterns that may appear problematic but are correct:

Pydantic validates request body automatically - No manual validation needed when using typed Pydantic models as parameters
Dependency injection for database sessions - Sessions come from Depends(), not passed as function arguments
HTTPException for all HTTP errors - FastAPI handles conversion to proper HTTP responses
Async def endpoint without await - May be using sync dependencies or simple operations; FastAPI handles this
Type annotation on Depends() - This is documentation/IDE support, not a type assertion
Query/Path/Body defaults - FastAPI processes these at runtime, not traditional Python defaults
Returning dict from endpoint - Pydantic converts automatically if response_model is set

Context-Sensitive Rules

Only flag issues when the context warrants it:

Flag missing validation ONLY IF the field isn't already in a Pydantic model with validators
Flag missing auth ONLY IF the endpoint isn't using Depends() with an auth dependency
Flag missing error handling ONLY IF HTTPException isn't raised appropriately for error cases
Flag sync in async ONLY IF the operation is actually blocking (file I/O, network calls, CPU-bound), not just non-async

Gates (FastAPI-specific)

Run once per FastAPI-related finding, after you can anchor file:line for the handler (see review-verification-protocol) and before the finding text ships. If a step’s pass condition is not met, do not assert the finding as written—gather evidence, withdraw, downgrade severity, or rephrase as a question.

Gate 1 — Route decorator and response surface

Step	Action	Pass condition
1a	Open the handler’s route decorator in the repo (not from memory).	`file:line` for `@router.` / `@app.` (or the site that registers this handler).
1b	Record HTTP method, `response_model=`, and `status_code=` on that decorator (or note they are absent).	Snippet from that line or explicit absent with the same `file:line`.

Gate 2 — Blocking or “should be async”

Step	Action	Pass condition
2a	Read the full handler body.	`file:line` range covering the body.
2b	If claiming blocking I/O: name each blocking call (e.g. `requests.`, `open(`, `time.sleep`, sync DB/ORM).	Each call has `file:line`, or withdraw the finding if none after the read.

Gate 3 — Depends, validation, auth

Step	Action	Pass condition
3a	List parameters: `Depends` / `Annotated[..., Depends]`, Pydantic models, `Body`/`Query`/`Path`, `Request`/`Response`.	Names + mechanism tied to `file:line` on the signature.
3b	If claiming missing auth: search the handler file (and its `APIRouter` module if separate) for `Depends`, `Security`, `HTTPBearer`, or project auth dependencies.	Citation to an existing hook, or search result: paths searched + N matches (zero is allowed).
3c	If claiming missing validation: confirm the argument is not already a Pydantic model or constrained `Query`/`Path`/`Body`.	Type/source with `file:line`, or withdraw if validation already applies.

FastAPI Framework Behaviors

FastAPI + Pydantic handle many concerns automatically:

Request validation via Pydantic models
Response serialization via response_model
Dependency injection for cross-cutting concerns
Exception handling via exception handlers

Before flagging "missing" functionality, verify FastAPI isn't handling it.

When to Load References

Reviewing route definitions → routes.md
Reviewing dependency injection → dependencies.md
Reviewing Pydantic models/validation → validation.md
Reviewing async route handlers → async.md

Review Questions

Do all routes have explicit response models and status codes?
Are dependencies injected via Depends() with proper cleanup?
Do all Pydantic models validate inputs correctly?
Are all route handlers async and non-blocking?

Before Submitting Findings

For each FastAPI-related finding, complete Gates (FastAPI-specific) above.
Load and follow review-verification-protocol (Pre-Report checklist and Verification by Issue Type) before reporting any issue.

Comments

Loading comments...