ClawHub

Prometheus Go Code Review

v2.3.1

Reviews Prometheus instrumentation in Go code for proper metric types, labels, and patterns. Use when reviewing code with prometheus/client_golang metrics.

0· 179·1 current·1 all-time
byKevin Anderson@anderskev

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for anderskev/prometheus-go-code-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Prometheus Go Code Review" (anderskev/prometheus-go-code-review) from ClawHub.
Skill page: https://clawhub.ai/anderskev/prometheus-go-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install prometheus-go-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install prometheus-go-code-review
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and required artifacts align: the SKILL.md is a focused checklist for prometheus/client_golang usage in Go and only needs a concrete set of files or a diff to operate. There are no unrelated binaries, credentials, or install steps requested.
Instruction Scope
Instructions are narrowly scoped to code review (enumerate files touching Prometheus, inspect label cardinality, registration lifecycle, etc.) and require file paths or diffs. One ambiguous phrase: the checklist asks that the '/metrics endpoint [be] exposed and accessible' — this could be interpreted as a runtime/network check rather than a static code inspection. If the skill will attempt to probe the running service, that would require network/run permissions; as-written the rest of the doc implies static code inspection only. Clarify whether the agent should perform runtime endpoint checks.
Install Mechanism
No install spec and no code files are present. This reduces surface area (nothing downloaded or written to disk).
Credentials
The skill does not request environment variables, credentials, or config paths. Its checks (labels, metric types, registration patterns) do not require secret access.
Persistence & Privilege
Flags show no forced persistence (always: false), and there are no instructions to modify other skills or system-wide configs. Autonomous invocation is allowed by default but not in itself a concern here.
Assessment
This skill is instruction-only and coherent for its stated purpose: it performs static reviews of Go code that uses prometheus/client_golang. Before installing, confirm you will provide a concrete diff or file paths (the skill requires that) and whether you expect it to perform any runtime/network checks — the mention of the '/metrics' endpoint being "accessible" is ambiguous and could imply probing a running service (which would need network/run permissions). The skill does not request credentials or install software, so the primary risk is granting it access to the repository or file set you want reviewed — limit that access to only the code you want evaluated. If you need the skill to actually hit a live /metrics endpoint, ask the author to document required permissions and network behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk977e7py789wwccp9qqy6213hh85be68
179downloads
0stars
2versions
Updated 6d ago
v2.3.1
MIT-0
Kevin Anderson@anderskev
latest
Download

Prometheus Go Code Review

Review Checklist

  • Metric types match measurement semantics (Counter/Gauge/Histogram)
  • Labels have low cardinality (no user IDs, timestamps, paths)
  • Metric names follow conventions (snake_case, unit suffix)
  • Histograms use appropriate bucket boundaries
  • Metrics registered once, not per-request
  • Collectors don't panic on race conditions
  • /metrics endpoint exposed and accessible

Hard gates (sequenced)

Complete in order before recording a finding. Skip gates that clearly do not apply to the diff.

  1. Evidence scope — Enumerate the files you are reviewing that touch Prometheus (prometheus/client_golang, promauto, promhttp, or MustRegister). Pass: you have a concrete path list (from the diff or an explicit file set); no repo-wide claim without at least one path.

  2. Label cardinality — For each *Vec or labeled metric in scope, list label names and where values come from (constants, bounded codes, vs request-derived strings). Pass: no label uses unbounded values (e.g. raw user_id, full URL path, timestamps) unless the code uses a bounded mapping and you cite it.

  3. Registration lifecycle — For metric definitions in scope, confirm constructors run once (package-level var, init, or sync.Once), not inside per-request handlers. Pass: no pattern that allocates/registers a new Counter/Histogram/*Vec on every request for the same logical metric.

  4. Finding shape — Each finding names a file (and line or symbol where possible), states which gate (2 or 3) would fail if the issue is real, and ties to observed code. Pass: no standalone style nit when gates 2–3 are satisfied for that code.

Metric Type Selection

MeasurementTypeExample
Requests processedCounterrequests_total
Items in queueGaugequeue_length
Request durationHistogramrequest_duration_seconds
Concurrent connectionsGaugeactive_connections
Errors since startCountererrors_total
Memory usageGaugememory_bytes

Critical Anti-Patterns

1. High Cardinality Labels

// BAD - unique per user/request
counter := promauto.NewCounterVec(
    prometheus.CounterOpts{Name: "requests_total"},
    []string{"user_id", "path"},  // millions of series!
)
counter.WithLabelValues(userID, request.URL.Path).Inc()

// GOOD - bounded label values
counter := promauto.NewCounterVec(
    prometheus.CounterOpts{Name: "requests_total"},
    []string{"method", "status_code"},  // <100 series
)
counter.WithLabelValues(r.Method, statusCode).Inc()

2. Wrong Metric Type

// BAD - using gauge for monotonic value
requestCount := promauto.NewGauge(prometheus.GaugeOpts{
    Name: "http_requests",
})
requestCount.Inc()  // should be Counter!

// GOOD
requestCount := promauto.NewCounter(prometheus.CounterOpts{
    Name: "http_requests_total",
})
requestCount.Inc()

3. Registering Per-Request

// BAD - new metric per request
func handler(w http.ResponseWriter, r *http.Request) {
    counter := prometheus.NewCounter(...)  // creates new each time!
    prometheus.MustRegister(counter)       // panics on duplicate!
}

// GOOD - register once
var requestCounter = promauto.NewCounter(prometheus.CounterOpts{
    Name: "http_requests_total",
})

func handler(w http.ResponseWriter, r *http.Request) {
    requestCounter.Inc()
}

4. Missing Unit Suffix

// BAD
duration := promauto.NewHistogram(prometheus.HistogramOpts{
    Name: "request_duration",  // no unit!
})

// GOOD
duration := promauto.NewHistogram(prometheus.HistogramOpts{
    Name: "request_duration_seconds",  // unit in name
})

Good Patterns

Metric Definition

var (
    httpRequests = promauto.NewCounterVec(
        prometheus.CounterOpts{
            Namespace: "myapp",
            Subsystem: "http",
            Name:      "requests_total",
            Help:      "Total HTTP requests processed",
        },
        []string{"method", "status"},
    )

    httpDuration = promauto.NewHistogramVec(
        prometheus.HistogramOpts{
            Namespace: "myapp",
            Subsystem: "http",
            Name:      "request_duration_seconds",
            Help:      "HTTP request latencies",
            Buckets:   []float64{.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10},
        },
        []string{"method"},
    )
)

Middleware Pattern

func metricsMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        timer := prometheus.NewTimer(httpDuration.WithLabelValues(r.Method))
        defer timer.ObserveDuration()

        wrapped := &responseWriter{ResponseWriter: w, status: 200}
        next.ServeHTTP(wrapped, r)

        httpRequests.WithLabelValues(r.Method, strconv.Itoa(wrapped.status)).Inc()
    })
}

Exposing Metrics

import "github.com/prometheus/client_golang/prometheus/promhttp"

func main() {
    http.Handle("/metrics", promhttp.Handler())
    http.ListenAndServe(":9090", nil)
}

Review Questions

  1. Are metric types correct (Counter vs Gauge vs Histogram)?
  2. Are label values bounded (no UUIDs, timestamps, paths)?
  3. Do metric names include units (_seconds, _bytes)?
  4. Are metrics registered once (not per-request)?
  5. Is /metrics endpoint properly exposed?

Comments

Loading comments...