GitLab MR Code Review
v1.0.0Automated AI code review for GitLab Merge Requests via polling. Periodically checks for open MRs, reviews code diffs for security vulnerabilities, bugs, and...
⭐ 1· 21·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description align with what is present: a Node script that polls a GitLab instance and posts comments/notes. Declared requirements (node, GITLAB_URL, GITLAB_TOKEN) are appropriate and sufficient for the stated purpose; there are no unrelated env vars or binaries requested.
Instruction Scope
SKILL.md and cron setup describe polling, fetching diffs, optionally fetching a per‑project prompt file, posting inline comments and a summary note, and recording reviewed MRs to {baseDir}/mr-reviewed.json. These actions are consistent with the stated purpose. Note: the cron worker text includes an explicit directive to "Do not ask for permission — execute directly," which grants the agent automated behavior without interactive confirmation; this is expected for background automation but users should be aware it will act autonomously and write local files (/tmp and {baseDir}/mr-reviewed.json).
Install Mechanism
No install spec — instruction-only plus a single included Node script. Nothing is downloaded from external URLs or extracted; risk from installation artifacts is low. The only runtime requirement is Node on PATH.
Credentials
Only GITLAB_URL and GITLAB_TOKEN are required; GITLAB_TOKEN is declared as the primary credential. That is proportionate for a tool that lists MRs and posts comments. There are no other secret env vars or unrelated credentials requested.
Persistence & Privilege
always:false (no forced inclusion). However, the recommended cron configuration runs every 2 minutes and the cron worker is instructed to execute autonomously and write a local reviewed-log file. This gives regular background activity and the ability to post to GitLab using the provided token; users should be deliberate about enabling the cron worker and about token scope.
Assessment
This skill appears to do what it claims: poll GitLab, review diffs, and post comments. Before enabling it, confirm the following: (1) Use a GitLab token with the minimum necessary scope (prefer a project access token or a PAT limited to the target projects rather than a broad admin token). (2) Decide where {baseDir} will be and ensure mr-reviewed.json and any /tmp files are stored with appropriate permissions and backed up if needed. (3) Review the included scripts yourself (scripts/gitlab-api.js is short and readable) and test the get-version and list-mrs commands manually. (4) Be cautious when enabling the cron worker — it will run frequently (*/2 * * * *) and the worker message explicitly directs automated execution without interactive confirmation. (5) Verify the Node version in your environment supports fetch or run with a compatible Node (v18+), and ensure the cron worker runs in an isolated session if you want to limit its filesystem/network exposure.scripts/gitlab-api.js:16
Environment variable access combined with network send.
scripts/gitlab-api.js:160
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvGITLAB_URL, GITLAB_TOKEN
Primary envGITLAB_TOKEN
SKILL.md
GitLab MR Code Review
Polling-based automated code review for GitLab MRs.
Architecture
Cron (*/2 * * * *) → gitlab-api.js list-mrs → skip reviewed → fetch diff → AI review → post comments/note
- No webhook server — pure polling
- Reviewed MRs tracked in
{baseDir}/mr-reviewed.json
Setup
- Set env vars (
GITLAB_URL,GITLAB_TOKEN) in your shell environment or.envfile - Test:
node {baseDir}/scripts/gitlab-api.js get-version - Install cron worker — see references/cron-setup.md for the full command
API Script Reference
node {baseDir}/scripts/gitlab-api.js get-version # Test connection
node {baseDir}/scripts/gitlab-api.js list-mrs # List open MRs
node {baseDir}/scripts/gitlab-api.js list-mrs --project <project_path> # Filter by project
node {baseDir}/scripts/gitlab-api.js get-changes <project_id> <mr_iid> # Fetch MR diff
node {baseDir}/scripts/gitlab-api.js get-file <project_id> <branch> <path> # Fetch file content
node {baseDir}/scripts/gitlab-api.js post-comment --file <json> <pid> <iid> # Inline comment (use --file!)
node {baseDir}/scripts/gitlab-api.js post-note <project_id> <mr_iid> '<text>' # Summary note
post-comment JSON format
{
"body": "**[Critical]** sql_injection\n\nRaw query with user input.",
"position": {
"base_sha": "abc123",
"start_sha": "def456",
"head_sha": "ghi789",
"new_path": "src/db.js",
"new_line": 42
}
}
base_sha/start_sha/head_sha come from get-changes output's diff_refs.
Review Rules
- Default: references/review-guidelines.md — severity levels, output format, what to skip
- Per-project: Place
.gitlab-review-prompt.mdin the repo root; the worker auto-fetches it viaget-file
Troubleshooting
| Problem | Fix |
|---|---|
| MRs not reviewed | openclaw cron list — is worker enabled? |
| API errors | node {baseDir}/scripts/gitlab-api.js get-version |
| Duplicate reviews | Check {baseDir}/mr-reviewed.json exists and is writable |
| Garbled comments | Use --file mode for post-comment (Windows PowerShell encoding) |
| Wrong line numbers | new_line must be the line number in the NEW version of the file |
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…