← Back to Skills Marketplace
Urlsession Code Review
by
Kevin Anderson
· GitHub ↗
· v1.2.1
· MIT-0
160
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install urlsession-code-review
Description
Reviews URLSession networking code for iOS/macOS. Covers async/await patterns, request building, error handling, caching, and background sessions.
README (SKILL.md)
URLSession Code Review
Quick Reference
| Topic | Reference |
|---|---|
| Async/Await | async-networking.md |
| Requests | request-building.md |
| Errors | error-handling.md |
| Caching | caching.md |
Review Checklist
Response Validation
- HTTP status codes validated - URLSession does NOT throw on 404/500
- Response cast to HTTPURLResponse before checking status
- Both transport errors (URLError) and HTTP errors handled
Memory & Resources
- Downloaded files moved/deleted (async API doesn't auto-delete)
- Sessions with delegates call
finishTasksAndInvalidate() - Long-running tasks use
[weak self] - Stored Task references cancelled when appropriate
Configuration
-
timeoutIntervalForResourceset (default is 7 days!) - URLCache sized adequately (default 512KB too small)
- Sessions reused for connection pooling
Background Sessions
- Unique identifier (especially with app extensions)
- File-based uploads (not data-based)
- Delegate methods used (not completion handlers)
Security
- No hardcoded secrets (use Keychain)
- Header values sanitized for CRLF injection
- Query params via URLComponents (not string concat)
Hard gates (before reporting findings)
Complete in order. Do not advance while a prior gate is open.
- Scope — Pass: You name at least one file under review where
URLSession,URLRequest,HTTPURLResponse/URLResponse,URLCache, orURLErrorappears on a networking path. If none apply, stop with “out of scope.” - HTTP vs transport — Pass: Before claiming missing HTTP status handling or “404 treated as success,” you cite
file:linefor the completion/async/for awaitpath that receivesresponseand state whetherHTTPURLResponseis cast andstatusCodeis checked (or cite the helper that does). If you cannot see the handler, say unknown and ask for it—do not assume. - Session lifecycle — Pass: For a custom
URLSessionwith a delegate, you citefinishTasksAndInvalidate()or the documented long-lived/singleton pattern you rely on; for.shared, say so if the finding depends on configuration. Skip if only ad hocURLSession.sharedone-shots with no delegate issues. - Background or file transfer (if applicable) — Pass: If
URLSessionConfiguration.background,downloadTask, or app-extension–scoped sessions appear, findings cite identifier uniqueness, delegate vs completion-handler usage, or file URLs as required. If none of those APIs appear, mark N/A and continue. - Severity and checklist — Pass: Every Critical item includes
file:lineand names which Review Checklist subsection it violates (e.g. Response Validation, Background Sessions). Lower-severity items still name the file(s) they are drawn from.
Output Format
### Critical
1. [FILE:LINE] Missing HTTP status validation
- Issue: 404/500 responses not treated as errors
- Fix: Check `httpResponse.statusCode` is 200-299
Usage Guidance
This skill is coherent and appears to do what it says: a local code-review checklist for URLSession usage. Before installing: (1) remember it will analyze any code files you give it, so avoid providing files containing secrets or unrelated private data; (2) the owner and homepage are unknown — review the SKILL.md and reference docs yourself to confirm they match your expectations; (3) if you prefer the skill not be invoked autonomously, consider disabling model invocation or restricting skill usage in your agent settings; (4) because the skill is instruction-only, it won’t download code during install, but the agent may process and summarize code you upload — treat outputs as assistant-generated guidance, not a replacement for a human security review.
Capability Assessment
Purpose & Capability
Name/description (URLSession code review) matches the provided SKILL.md and reference documents. The skill is instruction-only, requests no binaries, env vars, or config paths, and does not attempt to perform unrelated platform actions.
Instruction Scope
SKILL.md defines a narrow, well-scoped review workflow (gates, file:line citations, checklist items) that confines the agent to analyze code containing URLSession/URLRequest/etc. It does not instruct the agent to read system-wide files, environment variables, or send data to external endpoints. Note: the skill expects to read the files under review (it requires citing file:line), so it will process any code the user provides.
Install Mechanism
No install spec is present (instruction-only), so nothing will be downloaded or written to disk by an installer step — lowest-risk installation profile.
Credentials
The skill declares no required environment variables, credentials, or config paths. Reference docs discuss Keychain and file operations only as guidance for reviewed code; the skill itself does not request secrets or unrelated credentials.
Persistence & Privilege
always:false (normal). disable-model-invocation is false, meaning the agent can autonomously invoke the skill per platform defaults — this is expected for skills but increases blast radius compared to a manually-invoked-only skill. There is no request to modify other skills or persistent system settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install urlsession-code-review - After installation, invoke the skill by name or use
/urlsession-code-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.1
- Expanded "Hard gates" before reporting findings to clearly outline step-by-step review constraints.
- Gates now require explicit file:line references for HTTP/transport reporting, session lifecycle, and background session findings.
- Added instructions for how and when to mark scope as "out of scope" or "unknown" based on code visibility.
- Critical findings must now cite violated checklist subsections and specific file:line locations.
- Review workflow and output requirements explicitly clarified to ensure more precise, actionable feedback.
v1.2.0
Version 1.2.0 of urlsession-code-review updates and expands skill documentation and guidelines:
- Adds comprehensive SKILL.md with supported triggers, overview, detailed review checklist, and quick reference links.
- Checklist now explicitly covers async/await, request and error handling, memory management, caching, configuration, background sessions, and security best practices.
- Includes a sample markdown output format for reporting code review findings.
Metadata
Frequently Asked Questions
What is Urlsession Code Review?
Reviews URLSession networking code for iOS/macOS. Covers async/await patterns, request building, error handling, caching, and background sessions. It is an AI Agent Skill for Claude Code / OpenClaw, with 160 downloads so far.
How do I install Urlsession Code Review?
Run "/install urlsession-code-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Urlsession Code Review free?
Yes, Urlsession Code Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Urlsession Code Review support?
Urlsession Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Urlsession Code Review?
It is built and maintained by Kevin Anderson (@anderskev); the current version is v1.2.1.
More Skills