Code Review
v1.0.4AI-powered code review that combines fast local static analysis with deep AI reasoning. Catches bugs, security vulnerabilities, performance issues, and style...
⭐ 0· 369·2 current·2 all-time
byShadow Rose@theshadowrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: a local regex pre-pass plus optional AI-powered review. Optional API keys for Anthropic/OpenAI and local Ollama are expected for the described functionality. No unrelated binaries, config paths, or credentials are requested.
Instruction Scope
SKILL.md and src/code-review.js explicitly send file contents (truncated to 8000 chars) and local findings to the chosen AI provider. That behavior is consistent with a code-review tool but means source (including secrets) will be transmitted to external services when using remote providers. The skill also builds a strict system prompt asking the model to output JSON-only — this is expected for parsing but was flagged as a prompt-override pattern by static scanning.
Install Mechanism
Instruction-only plus a single JS source file; no install spec, no external downloads, and the code claims zero npm dependencies (uses built-in Node modules). No high-risk installation behavior detected.
Credentials
No required environment variables are declared. The code optionally reads ANTHROPIC_API_KEY / CLAUDE_API_KEY, OPENAI_API_KEY, and OLLAMA_HOST/OLLAMA_PORT — all directly relevant to choosing a remote or local model. These optional creds are proportional to the stated purpose.
Persistence & Privilege
Skill is not marked always:true and does not request persistent system-wide privileges. It does not modify other skills' configs or request elevated system access.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and src/code-review.js set a specific system prompt and require model JSON-only output. This matches the skill's need to parse AI responses but is flagged because such prompts can attempt to control model behavior — here it is used for structured output rather than an obvious malicious override.
Assessment
This skill appears to do what it says: it runs a local regex pre-pass and (optionally) sends code and the local findings to a chosen AI model for a deeper review. Important considerations before installing or using it:
- If you configure Anthropic or OpenAI, your source code (up to 8,000 characters per file) and any local findings will be transmitted to those third-party services. Do not use those remote providers for proprietary, sensitive, or regulated code you cannot share. Prefer a local Ollama instance for fully local reviews.
- API keys are optional; the skill will run local-only analysis without them. If you do provide keys, use dedicated, scoped keys and rotate them if needed.
- The skill enforces a strict JSON output expectation from the model. This is normal for reliable parsing but may cause parse errors if the remote model returns unexpected text.
- The local regex patterns may surface false positives (e.g., secret detection). Review flagged issues manually before acting.
If you need greater assurance: review the full src/code-review.js yourself, run the tool in an isolated environment, or use a local Ollama deployment to avoid sending code off-host.Like a lobster shell, security has layers — review code before you run it.
analysisvk9749txcv6rq3k0x8g1g0dws1x82jhhtcodevk9749txcv6rq3k0x8g1g0dws1x82jhhtdevelopmentvk9749txcv6rq3k0x8g1g0dws1x82jhhtlatestvk9749txcv6rq3k0x8g1g0dws1x82jhhtqualityvk9749txcv6rq3k0x8g1g0dws1x82jhhtreviewvk9749txcv6rq3k0x8g1g0dws1x82jhht
License
MIT-0
Free to use, modify, and redistribute. No attribution required.