AI Code Review
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-code-review-svc Version: 1.1.1 The skill bundle documentation (SKILL.md, README.md) describes a legitimate automated code review service. It includes features for LLM-based diff analysis, voice transcription via OpenAI Whisper, and Discord notifications. The documentation explicitly highlights security-conscious features such as SSRF validation for URLs and request timeouts. No evidence of malicious intent, data exfiltration, or prompt injection was found in the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill may consume OpenAI account quota and may allow messages to be posted through the configured Discord webhook.
The skill asks for an OpenAI API key and optionally a Discord webhook. These credentials are expected for the stated features, but users should notice that they grant access to paid API usage and posting to a Discord channel.
export OPENAI_API_KEY="sk-..."\nexport DISCORD_WEBHOOK_URL="https://discord.com/api/webhooks/..." # optional
Use a dedicated OpenAI key with appropriate limits and a Discord webhook scoped to the intended channel; revoke them if no longer needed.
Repository changes, review summaries, and audio transcription content may leave the local environment and be processed by OpenAI or visible in Discord.
The documented workflow sends code diffs and optional audio recordings to external providers and posts summaries to Discord. This is disclosed and purpose-aligned, but it can involve sensitive source code or meeting content.
Sends diffs to GPT-4o ... Transcribes review meeting recordings via OpenAI Whisper API ... Discord Notifications
Avoid using the skill on confidential code or private recordings unless those provider and Discord data-sharing terms are acceptable.
The submitted skill package may be incomplete, and any external or later-provided implementation would need separate review before running.
The documentation points to a runnable source file, but the supplied manifest contains only README.md and SKILL.md. The referenced implementation cannot be reviewed in these artifacts.
python src/code_review_service.py
Do not run replacement source files or scripts from outside this package unless their origin and contents are verified.
If a matching script is later supplied and run, it could change local service state without per-action confirmation.
The described healthcheck behavior would perform autonomous service restarts and notifications. It is disclosed and no script is present, but this kind of background control should be reviewed before use.
scripts/healthcheck.sh monitors nginx, docker, code-review-service, and whisper-api-gateway. It auto-restarts failed services and sends Discord alerts.
Review any healthcheck script before enabling it, and run it only with the minimum privileges needed.
If used, this helper could publish or update content under a ClawHub account.
The skill documents a helper that can publish skill directories through the ClawHub CLI. This is not automatically invoked and no implementation is included, but publishing is a higher-impact account action outside the core code-review flow.
publish_skill(skill_path, version)\n\nPublishes a skill directory to ClawHub at the given version using the `clawhub` CLI.
Use any publishing helper only intentionally, after reviewing the exact files and account permissions involved.