ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GitHub 智能代码审查与 CI/CD 自动化

v1.0.0

GitHub 智能代码审查与 CI/CD 自动化完整工作流。 场景:收到 PR 或提交代码时,自动完成 AI 代码审查(bug/安全/逻辑问题), 并根据审查结果智能生成或推荐 GitHub Actions CI/CD 工作流。 触发词:代码审查、review PR、生成 CI/CD、GitHub Actions...

0· 57·0 current·0 all-time
by@zlszhonglongshen
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes collecting PR/repo info via the gh CLI, running an AI review, and generating GitHub Actions workflows. Declared dependencies (gh, quack-code-review, github-actions-generator) are coherent with the stated purpose.
!
Instruction Scope
Instructions are mostly narrow and limited to repository- and PR-scoped operations (gh pr view/diff, analyze pr-diff.txt, generate workflows, post PR comments). However, the SKILL.md contains unicode control characters (prompt-injection signal) which may be attempting to hide or manipulate runtime prompts/behavior; this is a red flag because it can alter how the agent executes or interprets instructions. Also the skill implicitly requires authenticated gh access but does not explicitly declare required auth/env vars.
Install Mechanism
Instruction-only skill (no install spec, no code files to execute). Lowest install risk. It assumes external CLIs/tools are present but does not fetch or install code itself.
Credentials
The skill requests no environment variables in metadata, which is consistent with being instruction-only. In practice it requires an authenticated gh CLI (GITHUB_TOKEN or gh auth login) to read/write PRs and post comments; that credential access is appropriate for the purpose but is not explicitly declared. Also it relies on third-party skills/tools (quack-code-review, github-actions-generator) — their required credentials/permissions are not described here and should be verified.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request permanent presence or system-wide configuration changes. It does post PR comments (expected behavior) but does not request elevated agent privileges in metadata.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode invisible characters were detected in SKILL.md. This is not expected for a straightforward automation/instruction document and can be used to hide or manipulate prompts or to alter parsing. Inspect the raw SKILL.md for hidden content or remove control characters before trusting the skill.
What to consider before installing
This skill is coherent with its stated goal (it uses the gh CLI to fetch PR data, calls an AI reviewer, then generates workflow files and posts PR comments). Before installing or enabling it: 1) review the raw SKILL.md/README for hidden characters (the scan found unicode control chars) and remove or ask the author to explain them; 2) verify and trust the third-party tools referenced (quack-code-review and github-actions-generator) — confirm their source and permissions; 3) ensure the GitHub credentials used (gh auth / GITHUB_TOKEN) have minimal scopes (repo actions as needed) and are not shared broadly; 4) test the workflow in a sandbox repo (no secrets) to confirm it only reads repository data and posts intended comments; 5) if you need higher assurance, ask the publisher for a homepage/origin and source code for the referenced tools. If any of these checks fail or the author cannot explain the control characters and third-party tooling, avoid enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emg9nvbjzm7cqq3rvw7gbrx84sa12
57downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
@zlszhonglongshen
latest
Download

GitHub 智能代码审查与 CI/CD 自动化

技能简介

本技能是一个三阶段自动化工作流,专门用于提升 GitHub 项目代码质量与 CI/CD 效率

工作流程

阶段一:GitHub 信息收集(github)

使用 gh CLI 获取仓库、PR 或提交的相关信息:

# 查看 PR 详情
gh pr view <pr-number> --repo <owner/repo> --json title,body,files,additions,deletions,author

# 获取 PR 变更文件列表
gh pr diff <pr-number> --repo <owner/repo>

# 查看最近提交记录
gh api repos/<owner>/<repo>/commits?per_page=10

# 列出仓库所有 Actions 工作流
gh workflow list --repo <owner/repo>

收集以下上下文信息:

  • PR 标题、描述、作者
  • 变更文件列表(新增/修改/删除)
  • 代码行数统计
  • 当前 CI 状态

阶段二:AI 代码审查(quack-code-review)

对收集到的代码变更进行深度 AI 审查:

  1. Bug 检测:空指针、边界条件、异常处理不当
  2. 安全漏洞:注入风险、敏感信息泄露、不安全依赖
  3. 逻辑问题:业务逻辑错误、状态机问题、并发安全问题
  4. 代码质量:风格不一致、重复代码圈复杂度
  5. 最佳实践:现代语言特性使用、错误处理规范

输出格式:

## 🔍 代码审查报告

### 🔴 严重问题(必须修复)
- [文件:行号] 问题描述
- 修复建议

### 🟡 建议改进
- [文件:行号] 问题描述
- 修复建议

### ✅ 审查通过
- 通过检查项列表

### 📊 统计
- 文件数: X | 新增: +X | 删除: -X
- 严重: X | 建议: X

阶段三:智能 CI/CD 生成(github-actions-generator)

根据阶段二的审查结果与项目技术栈,自动生成 GitHub Actions 工作流:

生成策略:

  • Node.js/TypeScript → node.yml:安装 → lint → test → build
  • Python → python.yml:安装依赖 → pytest → 覆盖率报告
  • Go → go.yml:构建 → 测试 → 多平台构建
  • Docker 项目 → docker.yml:构建 → 推送镜像 → 安全扫描
  • 审查发现问题 → 在工作流中增加对应检查步骤(如安全扫描、代码覆盖率阈值)

生成的文件:

  • .github/workflows/ci.yml — 主 CI 工作流
  • .github/workflows/security.yml — 安全扫描(发现安全问题启用)
  • .github/workflows/cd.yml — 部署工作流(如适用)

使用说明:

# 生成 Node.js CI 工作流
github-actions-generator --lang node --framework express

# 生成带安全扫描的 Python CI 工作流
github-actions-generator --lang python --security-scan --coverage

# 生成 Docker 构建+推送工作流
github-actions-generator --lang docker --registry ghcr.io

使用场景

场景输入输出
PR Code ReviewPR 链接或 owner/repo#pr-number审查报告 + PR 评论
提交审查提交 SHA 或 commit message审查报告
新项目 CI 搭建仓库 URL + 技术栈完整 CI/CD 工作流
安全合规检查仓库 URL安全扫描报告 + 修复建议

依赖工具

  • gh CLI(GitHub 官方命令行工具)
  • quack-code-review(LogicArt AI 代码分析)
  • github-actions-generator(Sunshine-Del 团队出品)

最佳实践

  1. 每次提交必审查:配合 GitHub Actions 自动触发,在代码合并前发现问题
  2. 审查结果写入 PR 评论:使用 gh pr comment 将报告自动写入 PR
  3. CI 工作流渐进生成:先审查再生成,确保工作流覆盖已有问题
  4. 安全优先:发现安全漏洞时,自动启用 security.yml 工作流

注意事项

  • 审查报告仅作为辅助建议,最终决策由开发者负责
  • 生成的 CI/CD 工作流需根据实际项目需求调整
  • 敏感信息(如密钥、Token)不要在审查报告中暴露

Comments

Loading comments...