ClawHub

Review Code

v1.0.0

Review code with risk-first analysis, reproducible evidence, and patch-ready guidance for correctness, security, performance, and maintainability.

0· 473·4 current·4 all-time
byIván@ivangdavila
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (risk-focused code review) align with the contents: checklists, templates, workflow, and setup. The skill requests no binaries, credentials, or external services that would be unrelated to a code review.
Instruction Scope
SKILL.md and the companion documents strictly describe review behavior, risk checklists, templates, and local note storage. Instructions do not direct the agent to read unrelated system files or environment variables, nor to call external endpoints. The skill explicitly requires user confirmation before creating or changing local files.
Install Mechanism
There is no install spec and no code to execute; the skill is instruction-only. That minimizes disk writes and execution risk. The 'related skills' list is advisory; installing them would be a separate user action.
Credentials
The skill requires no environment variables, no credentials, and no config paths beyond an optional directory under the user's home. This is proportionate to a local code-review instruction set. The docs explicitly advise not to store secrets.
Persistence & Privilege
The skill recommends using ~/review-code/ for local memory and findings. This is reasonable for a review workflow but does create persistent local files if the user consents. The instructions state the agent must present planned writes and ask for confirmation before creating/changing files.
Assessment
This skill is instruction-only and appears to do what it says: risk-focused code reviews using local templates and optional local storage in ~/review-code/. Before enabling or running it: (1) confirm you are comfortable with the agent creating files under ~/review-code/ (the skill promises to ask before writing), (2) do not store secrets or credentials in the review memory, and (3) if you prefer ephemeral reviews, decline setup or remove ~/review-code/ after use. If you later install the related skills (code, git, ci-cd, etc.), review their permissions separately because those may request additional access.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔎 Clawdis
OSmacOS · Linux · Windows
latestvk9726qmfppnz074cknaadmhfs1829h0s
473downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
macOS, Linux, Windows
Iván@ivangdavila
latest
Download

Setup

On first use, read setup.md for integration guidance and local memory initialization.

When to Use

User asks for a code review, PR review, merge-readiness check, or bug-risk audit before shipping. Agent delivers a risk-ranked review with explicit evidence, impact, confidence, and concrete fix direction.

Architecture

Memory lives in ~/review-code/. See memory-template.md for structure and starter templates.

~/review-code/
├── memory.md             # Review preferences, stack context, and recent constraints
├── findings/             # Optional per-review finding logs
├── baselines/            # Team conventions and accepted risk baselines
└── sessions/             # Session summaries for ongoing audits

Quick Reference

TopicFile
Setup and integration behaviorsetup.md
Memory schema and templatesmemory-template.md
End-to-end review execution flowreview-workflow.md
Severity and confidence calibrationseverity-and-confidence.md
Language and architecture risk checkslanguage-risk-checklists.md
Test impact requirements by change typetest-impact-playbook.md
Comment and report templatescomment-templates.md
Patch strategy for actionable fixespatch-strategy.md

Data Storage

Local notes stay in ~/review-code/. Before creating or changing local files, present the planned write and ask for user confirmation.

Core Rules

1. Define the Review Contract First

Confirm target scope before reviewing: branch, files, risk tolerance, and release context. If scope is unclear, state assumptions explicitly and keep findings tied to those assumptions.

2. Start With Risk Mapping, Then Deep Dive

Run a fast pass to locate high-risk zones first: auth, money, data integrity, concurrency, and migration paths. Only then perform line-level analysis with review-workflow.md so major failures are surfaced early.

3. Every Finding Must Be Evidence-Backed

Do not report vague concerns. Each finding must include: trigger location, concrete failure mode, user or business impact, and minimal reproduction clue. If evidence is weak, mark low confidence or downgrade to a question.

4. Separate Blocking vs Advisory With Severity + Confidence

Use severity-and-confidence.md for consistent triage. Blocking findings must be reproducible or highly probable with strong impact. Advisory feedback must remain concise and never hide blockers.

5. Always Pair Findings With a Fix Path

For each blocking issue, provide a minimally disruptive fix strategy. Use patch-strategy.md to propose rollback-safe edits, guard tests, and verification steps.

6. Tie Review Quality to Test Impact

Map each change to required tests using test-impact-playbook.md. If tests are missing, list the exact scenarios that must be added and why they prevent regressions.

7. Optimize for Signal, Not Volume

Prioritize high-impact defects over style noise. If no blockers are found, state that explicitly and list residual risks, test gaps, and monitoring advice.

Common Traps

  • Reporting opinions as facts -> review credibility drops and teams ignore real blockers.
  • Mixing blocker and nit feedback without labels -> delayed merges and mis-prioritized fixes.
  • Calling something “probably fine” without tests -> silent regressions in production.
  • Suggesting large rewrites for local defects -> good fixes are postponed indefinitely.
  • Ignoring release context (hotfix vs refactor) -> wrong trade-offs for urgency.
  • Missing migration and backward-compatibility checks -> runtime failures after deploy.

External Endpoints

This skill makes NO external network requests.

EndpointData SentPurpose
NoneNoneN/A

No other data is sent externally.

Security & Privacy

Data that leaves your machine:

  • Nothing by default. This is an instruction-only review skill unless the user explicitly exports artifacts.

Data stored locally:

  • Review preferences, project constraints, and optional findings approved by the user.
  • Stored in ~/review-code/.

This skill does NOT:

  • auto-approve code or merge pull requests.
  • make undeclared network calls.
  • store credentials, tokens, or sensitive payloads.
  • modify its own core instructions or auxiliary files.

Trust

This is an instruction-only code review skill. No credentials are required and no third-party services are contacted by default.

Related Skills

Install with clawhub install <slug> if user confirms:

  • code - implementation workflow that complements review findings.
  • git - safer branch, diff, and commit handling during remediation.
  • typescript - stricter typing and runtime safety review for TS-heavy codebases.
  • ci-cd - release-gate checks and deployment safeguards after fixes.
  • devops - production risk assessment and rollback planning.

Feedback

  • If useful: clawhub star review-code
  • Stay updated: clawhub sync

Comments

Loading comments...