← Back to Skills Marketplace
AI Code Review
by
terrycarter1985
· GitHub ↗
· v1.1.0
· MIT-0
35
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ai-code-review-service
Description
AI-powered service for pull request code reviews with optional voice note transcription, Discord alerts, and secure diff URL handling.
README (SKILL.md)
ai-code-review
AI-powered code review service with voice transcription, Discord notifications, and ClawHub integration.
Triggers
- "code review", "review code", "PR review"
- "transcribe voice note", "voice review"
- "publish skill", "skill publish"
Usage
Review a pull request
python src/code_review_service.py \x3Cpr_number> \x3Cdiff_url> [voice_note_path]
Environment variables
| Variable | Required | Description |
|---|---|---|
OPENAI_API_KEY |
Yes | OpenAI API key for Whisper transcription |
DISCORD_WEBHOOK_URL |
No | Discord webhook for review notifications |
VOICE_NOTE_BASE_DIR |
No | Base directory for voice note files (default: /tmp/voice_notes) |
ALLOW_INTERNAL_DIFF_URLS |
No | Set to allow internal-network diff URLs (security override) |
Security
- Diff URLs are validated against SSRF (scheme + hostname checks)
- Voice note paths are sandboxed to
VOICE_NOTE_BASE_DIR - Discord notification content is escaped to prevent injection
- All HTTP requests enforce a 30-second timeout
Changelog
1.1.0 (2026-05-07)
- Fixed SSRF vulnerability in diff URL fetching
- Fixed path traversal risk in voice note transcription
- Added Discord content escaping to prevent injection
- Added request timeouts (30s) to all HTTP calls
- Fixed
analyze_code_changesreturning hardcoded "approved" — now returns "pending_manual_review" - Added proper error handling for diff fetch and voice transcription
- Added structured logging throughout the service
- Improved
__main__with CLI arg parsing and error handling - Optimized health check script compatibility (works in chroot/container environments)
Usage Guidance
Install only if you are comfortable reviewing and tightening the included source. Use restricted OpenAI and Discord credentials, run the service in a sandboxed environment, allow diff URLs only from trusted code hosts, verify the voice-note directory containment before uploading files, and do not run the healthcheck script with elevated privileges unless you explicitly want it to restart those host services.
Capability Analysis
Type: OpenClaw Skill
Name: ai-code-review-service
Version: 1.1.0
The skill bundle provides a legitimate AI-powered code review service with voice transcription and Discord notifications. The code in `references/code_review_service.py` includes proactive security measures, such as SSRF validation for diff URLs, path traversal protection for audio files using a sandboxed directory, and content escaping to prevent Discord injection. The `scripts/healthcheck.sh` script performs standard system monitoring and service recovery without any signs of malicious intent or unauthorized data exfiltration.
Capability Tags
Capability Assessment
Purpose & Capability
The PR review, voice transcription, and Discord alert features match the stated purpose, but the actual code-review analysis is still a TODO returning pending_manual_review, and the SKILL usage path references src/code_review_service.py while the provided file is under references/.
Instruction Scope
The runtime accepts a caller-supplied diff URL and voice-note path, then performs network fetches and provider upload; the implemented URL and path checks are weaker than the security claims imply.
Install Mechanism
There is no install spec and the registry declares no env vars or primary credential, while SKILL.md documents OPENAI_API_KEY and optional Discord/base-directory settings. This is disclosed in the skill text but under-declared in metadata.
Credentials
OpenAI and Discord network access is purpose-aligned, but the included healthcheck script reaches host-level services and can restart nginx, docker, code-review-service, and whisper-api-gateway, which is broader than a code-review skill needs unless explicitly operator-approved.
Persistence & Privilege
No background persistence is installed by the artifacts, but scripts/healthcheck.sh writes to /var/log and invokes systemctl restart, requiring elevated host privileges and causing lasting environment changes if run.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ai-code-review-service - After installation, invoke the skill by name or use
/ai-code-review-service - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
修复代码质量问题(SSRF/路径遍历/注入防护)、优化健康检查适配
Metadata
Frequently Asked Questions
What is AI Code Review?
AI-powered service for pull request code reviews with optional voice note transcription, Discord alerts, and secure diff URL handling. It is an AI Agent Skill for Claude Code / OpenClaw, with 35 downloads so far.
How do I install AI Code Review?
Run "/install ai-code-review-service" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is AI Code Review free?
Yes, AI Code Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does AI Code Review support?
AI Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created AI Code Review?
It is built and maintained by terrycarter1985 (@terrycarter1985); the current version is v1.1.0.
More Skills