ClawHub

Phoenix Code Review

v1.2.1

Reviews Phoenix code for controller patterns, context boundaries, routing, and plugs. Use when reviewing Phoenix apps, checking controllers, routers, or cont...

0· 129·1 current·1 all-time
byKevin Anderson@anderskev

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anderskev/phoenix-code-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Phoenix Code Review" (anderskev/phoenix-code-review) from ClawHub.
Skill page: https://clawhub.ai/anderskev/phoenix-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install phoenix-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install phoenix-code-review
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and all included reference docs (controllers, contexts, plugs, routing) align with a Phoenix code-review helper. The skill requests no environment variables, binaries, or config paths that would be unrelated to code review.
Instruction Scope
The SKILL.md explicitly instructs the agent to open project source files and cite file:line for findings — this is expected for a code-review skill, but it grants the agent broad read access to the repository. The gates reference an external verification skill at ../review-verification-protocol/SKILL.md which is not included here; that dependency may block verification or produce vague behavior if missing. Overall scope is coherent with the purpose, but you should be aware it will inspect repository files and expects another review skill to be present.
Install Mechanism
No install spec and no code files: instruction-only (no code is written to disk or downloaded). This is the lowest-risk install posture.
Credentials
The skill declares no required environment variables, credentials, or config paths. Nothing requests unrelated secrets or system access.
Persistence & Privilege
always:false and default agent invocation are set. The skill does not request permanent presence or system-wide configuration changes; autonomy is allowed by default but is not combined with other elevated privileges here.
Assessment
This skill appears coherent and low-risk: it is a documentation-driven code-review helper that will read your project files to produce findings. Before using it, ensure you only grant the agent access to the repository you want reviewed, confirm whether the referenced ../review-verification-protocol skill exists (or provide an equivalent verification process), and be mindful that reported findings will include file paths and line numbers (which may expose code snippets). If you need stricter control, run the review in a sandboxed environment or limit the agent's filesystem access. Lastly, remember autonomous invocation is allowed by default — disable it if you prefer to run reviews manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk973av402zh4fb071j1g8m3zw585bs4y
129downloads
0stars
2versions
Updated 5d ago
v1.2.1
MIT-0
Kevin Anderson@anderskev
latest
Download

Phoenix Code Review

Quick Reference

Issue TypeReference
Bounded contexts, Ecto integrationreferences/contexts.md
Actions, params, error handlingreferences/controllers.md
Pipelines, scopes, verified routesreferences/routing.md
Custom plugs, authenticationreferences/plugs.md

Review Checklist

Controllers

  • Business logic in contexts, not controllers
  • Controllers return proper HTTP status codes
  • Action clauses handle all expected patterns
  • Fallback controllers handle errors consistently

Contexts

  • Contexts are bounded by domain, not technical layer
  • Public functions have clear, domain-focused names
  • Changesets validate all user input
  • No Ecto queries in controllers

Routing

  • Verified routes (~p sigil) used, not string paths
  • Pipelines group related plugs
  • Resources use only needed actions
  • Scopes group related routes

Plugs

  • Authentication/authorization via plugs
  • Plugs are composable and single-purpose
  • Halt called after sending response in plugs

JSON APIs

  • Proper content negotiation
  • Consistent error response format
  • Pagination for list endpoints

Valid Patterns (Do NOT Flag)

  • Controller calling multiple contexts - Valid for orchestration
  • Inline Ecto query in context - Context owns its data access
  • Using action_fallback - Centralized error handling pattern
  • Multiple pipelines per route - Composition is intentional
  • Plug.Conn.halt/1 without send - May be handled by fallback

Context-Sensitive Rules

IssueFlag ONLY IF
Missing changeset validationField accepts user input AND no validation exists
Controller too largeMore than 7 actions OR actions > 20 lines
Missing authorizationRoute is not public AND no auth plug in pipeline

Gates (run in order; each step has a pass condition)

  1. Anchored evidence — For every planned finding, open the source and note file path + line number from that read (not from memory or diff snippets alone). Pass: each finding cites path:line that you opened.
  2. “Handled elsewhere” sweep — Before reporting “missing validation,” “missing auth,” or “wrong status,” search the router (pipelines/scopes), controller (action_fallback, plug), and relevant context for existing checks. Pass: you recorded whether handling exists elsewhere (yes + where, or no after search).
  3. Verification protocol — Load and apply review-verification-protocol for the issue type. Pass: that skill’s pre-report checks for that finding class are satisfied before you write the finding.
  4. Finding shape — Emit each issue as [FILE:LINE] ISSUE_TITLE with a one-line rationale tied to the cited code. Pass: every line matches that pattern.

Before Submitting Findings

Do not report until Gates above pass. For full anti-false-positive steps, follow review-verification-protocol.

Comments

Loading comments...