code-review-assistant
v1.0.0代码 Review 助手。分析 Git diff 或代码片段,输出结构化中文 Review 报告,覆盖 Bug、安全漏洞、性能问题、可读性、最佳实践、类型安全、错误处理、测试覆盖。支持严格程度配置(信息/优化/标准/严重)和多种主流语言(Python/JS/TS/Java/Go/Rust)。支持 GitHub/G...
⭐ 0· 114·0 current·0 all-time
by@xonet1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included files: SKILL.md describes code-review behavior and the repository provides get_diff.py and get_pr_diff.py plus language/rule references. The optional use of GITHUB_TOKEN / GITLAB_TOKEN in get_pr_diff.py is appropriate for fetching PR/MR diffs.
Instruction Scope
Runtime instructions are scoped to obtaining diffs (local git, PRs via API, or user-pasted snippets) and running language-specific checks. One attention point: the skill will read repository files or any file the user explicitly asks it to (via '--file' or '指定文件'), so sensitive files in the repo could be exposed if you request them — this is expected behavior for a review tool but worth being cautious about.
Install Mechanism
No install spec; this is an instruction-only skill with included Python helper scripts. Nothing downloads or extracts remote code or installs packages, so installation risk is low.
Credentials
The skill does not declare required env vars. get_pr_diff.py optionally reads GITHUB_TOKEN and GITLAB_TOKEN to access private PRs/MRs — these are directly relevant and proportionate to the described capability. No unrelated secrets or configuration paths are requested.
Persistence & Privilege
always is false and the skill has no install-time hooks or requests for permanent agent-wide privileges. It does not modify other skills or system-wide config.
Assessment
This skill appears to do what it says: fetch diffs and produce structured code-review reports. Before using it, consider: (1) Only provide GITHUB_TOKEN/GITLAB_TOKEN when necessary and prefer least-privilege / read-only tokens. (2) Avoid asking the skill to read or send files that contain secrets (keys, credentials) unless you intend to expose them. (3) The helper scripts use your local git repo and network calls to GitHub/GitLab — run them in a safe working directory and review output before sharing externally. (4) There is no installer or hidden network endpoint in the package; the main remaining risk is accidental exposure of repository contents if you request broad diffs or files.Like a lobster shell, security has layers — review code before you run it.
latestvk97f3rzjcf7h87shtgnttwq75s83dz9j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.