openclaw-code-review-skill
v1.0.1对 Pull Request 或代码 Diff 进行结构化审查,使用多 Agent 并行审查 + 置信度评分过滤误报。触发:/code-review、审查 PR、代码审查
⭐ 0· 104·0 current·0 all-time
bycdaaa@cdapic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (PR/code-diff review with multiple agents and confidence filtering) matches the runtime instructions: using gh to fetch PR data, running git blame/log, summarizing diffs, and optionally posting comments. Requiring the GitHub CLI and a local git context is appropriate for this purpose.
Instruction Scope
Instructions stay within code-review scope (fetch PR details, read CLAUDE.md, run diffs, run git blame/log, produce structured report, optionally post gh comments). Two minor concerns: (1) the runtime uses a 'sessions_spawn' mechanism to start parallel agents but the skill doesn't document where that utility comes from or whether it spawns external model calls — you should confirm the platform has this facility and how spawned agents are authorized; (2) the built-in aggressive filtering (only reporting ≥80 confidence and excluding pre-existing issues) may suppress valid findings; ensure you understand the filter semantics.
Install Mechanism
This is an instruction-only skill with no install spec, no downloads, and no packages to write to disk — lowest install risk. It does assume 'gh' (GitHub CLI) and a git repository are available; README mentions this.
Credentials
The skill requests no env vars or credentials. However, it relies on the user's GitHub CLI authentication (gh auth) and local git repo state to read and post PR comments. That is proportionate for a PR-commenting tool but means the skill will operate using whatever permissions the configured 'gh' session has — verify your gh login is scoped appropriately before running the skill.
Persistence & Privilege
always:false and no persistent system modifications are requested. The skill does include an optional action to post PR comments (via gh pr comment) only when the user explicitly requests '发布评论' or uses --comment; verify that behavior before granting broad automation rights.
Assessment
This skill largely does what it says: it expects the GitHub CLI and access to the repository (local git or network-accessible PR) and will use those to read PR data, git history, and optionally post comments. Before installing or using it: 1) Confirm your environment has gh authenticated with the intended GitHub account and that you are comfortable that the skill will act with those permissions. 2) Ask the author or maintainer what 'sessions_spawn' is and whether spawned agents make external model/API calls or require additional credentials. 3) Note the docs mismatch (some README/README_SOURCE say 4 agents while SKILL.md defines 3) and get clarity on exact agent behavior. 4) Test on a non-sensitive repository to confirm the confidence-threshold and pre-existing-issue filtering don't hide important findings. If you need higher assurance, request an explicit statement from the author about no hidden network exfiltration and how agent spawning is implemented.Like a lobster shell, security has layers — review code before you run it.
latestvk974d4trt60k07d45q6j5r4gah84hn61
License
MIT-0
Free to use, modify, and redistribute. No attribution required.