← Back to Skills Marketplace
supermario11

Cuihua Code Reviewer

by supermario11 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
122
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cuihua-code-reviewer
Description
AI-powered code review assistant for OpenClaw agent developers. Automatically analyzes code quality, detects security vulnerabilities, performance issues, an...
README (SKILL.md)

code-reviewer - AI Code Review Assistant 🔍

Built for AI agent developers who care about code quality.

An intelligent code review assistant that analyzes your codebase and provides detailed, actionable feedback on:

  • 🛡️ Security vulnerabilities
  • Performance bottlenecks
  • 🧹 Code smells and anti-patterns
  • Best practices adherence
  • 📚 Documentation quality

🎯 Why code-reviewer?

When building AI agents with OpenClaw, code quality matters more than ever:

  • Agents often run with elevated permissions
  • Security vulnerabilities can be exploited by malicious prompts
  • Performance issues compound when agents loop
  • Maintainability is critical for evolving agent behavior

code-reviewer understands these unique challenges and provides tailored advice.

🚀 Quick Start

Review a single file

Tell your agent:

"Review the code quality of src/agent.js"

Review an entire directory

"Analyze all Python files in ./skills/my-skill/"

Get a detailed report

"Generate a full code review report for the current project"

📋 What Gets Checked

Security 🛡️

  • Injection vulnerabilities - Command injection, path traversal, eval usage
  • Sensitive data exposure - Hardcoded secrets, API keys in code
  • Unsafe dependencies - Known CVEs in package.json/requirements.txt
  • Permission issues - Overly broad file access, unnecessary privileges

Performance ⚡

  • Inefficient algorithms - O(n²) when O(n) exists, unnecessary loops
  • Memory leaks - Unreleased resources, closure traps
  • Blocking operations - Sync file I/O in async contexts
  • Redundant computations - Repeated calculations, unnecessary allocations

Code Quality 🧹

  • Code smells - Long functions, deep nesting, duplicated code
  • Naming conventions - Inconsistent or unclear variable names
  • Dead code - Unused imports, unreachable statements
  • Magic numbers - Hardcoded values without explanation

Best Practices ✨

  • Error handling - Unhandled promises, swallowed exceptions
  • Testing - Missing tests, low coverage areas
  • Documentation - Missing docstrings, unclear comments
  • Type safety - Missing type annotations (TypeScript/Python)

🎨 Output Format

Terminal Summary

🔍 Code Review Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📁 Files analyzed: 12
⚠️  Issues found: 8

Severity Breakdown:
  🔴 Critical: 1
  🟠 High:     2
  🟡 Medium:   3
  🟢 Low:      2

Top Issues:
  1. [CRITICAL] SQL injection vulnerability in query.js:45
  2. [HIGH] Hardcoded API key in config.js:12
  3. [HIGH] Memory leak in worker.js:78

💡 Run with --detailed for full report

Detailed Markdown Report

Saved to code-review-report.md:

# Code Review Report

**Generated**: 2026-03-24 20:30 PDT
**Project**: my-agent-project
**Files Reviewed**: 12
**Total Issues**: 8

## 🔴 Critical Issues (1)

### 1. SQL Injection Vulnerability
**File**: `src/query.js:45`
**Severity**: CRITICAL

**Issue**:
Unsanitized user input directly interpolated into SQL query.

**Code**:
\`\`\`javascript
const query = `SELECT * FROM users WHERE id = ${userId}`;
\`\`\`

**Impact**:
Allows arbitrary SQL execution. Attacker could read/modify database.

**Fix**:
Use parameterized queries:
\`\`\`javascript
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
\`\`\`

---

## 🟠 High Priority Issues (2)

### 2. Hardcoded API Key
**File**: `config.js:12`
...

⚙️ Configuration

Create .codereview.json in your project root for custom rules:

{
  "severity": {
    "min": "medium",
    "failOnCritical": true
  },
  "ignore": {
    "files": ["*.test.js", "dist/*"],
    "rules": ["magic-numbers"]
  },
  "languages": ["javascript", "python"],
  "output": {
    "format": "markdown",
    "path": "./reports/code-review.md"
  }
}

🧠 How It Works

  1. Parse - Reads your code files using OpenClaw's read tool
  2. Analyze - Uses AI to understand code structure and intent
  3. Detect - Applies security, performance, and quality rules
  4. Report - Generates actionable findings with fix suggestions
  5. Learn - Adapts to your codebase patterns over time

🌟 Features

Multi-Language Support

  • ✅ JavaScript / TypeScript
  • ✅ Python
  • ✅ Go
  • ✅ Rust
  • ✅ Shell scripts
  • 🔄 More languages coming soon

Smart Context Awareness

Understands your project type:

  • OpenClaw skills and plugins
  • Express/Fastify APIs
  • React/Vue frontends
  • CLI tools
  • Lambda functions

Incremental Reviews

Reviews only changed files in Git:

"Review my latest changes"

Team Integration

Share review reports with your team:

  • Export to GitHub PR comments
  • Slack/Discord notifications
  • Email summaries

💡 Usage Examples

Example 1: Pre-commit Review

Agent: Review all staged files before I commit

Output:

✅ All clear! No critical issues found.
💡 3 minor suggestions:
  - Consider adding error handling in auth.js:23
  - Variable 'temp' could use a better name in utils.js:56
  - Add JSDoc for function processData() in api.js:12

Example 2: Security Audit

Agent: Run a security audit on ./src/

Output:

🛡️ Security Audit Results
━━━━━━━━━━━━━━━━━━━━━━━

🔴 1 critical vulnerability found
🟠 2 high-risk issues detected

Details:
1. [CRITICAL] Command injection in exec.js
2. [HIGH] Sensitive data in logs
3. [HIGH] Missing input validation

📄 Full report: security-audit-2026-03-24.md

Example 3: Performance Check

Agent: Find performance bottlenecks in worker.js

Output:

⚡ Performance Analysis
━━━━━━━━━━━━━━━━━━━━━

Found 3 optimization opportunities:

1. Line 45: O(n²) loop - use Map for O(n)
2. Line 67: Sync file read blocks event loop
3. Line 89: Regex compiled in hot path

Estimated improvement: 85% faster

🔒 Privacy & Security

  • Runs locally - Your code never leaves your machine
  • No telemetry - Zero data collection
  • Open source - Audit the code yourself
  • Safe analysis - Never executes your code

📦 Installation

Via ClawHub (Recommended)

clawhub install code-reviewer

Manual Installation

git clone https://github.com/your-username/code-reviewer
cd code-reviewer
clawhub publish .

🤝 Contributing

Found a bug? Have a feature idea?

📜 License

MIT License - see LICENSE for details.

🙏 Acknowledgments

Built with ❤️ by 翠花 for the OpenClaw community.

Special thanks to:

  • OpenClaw team for the amazing framework
  • ClawHub for making skill distribution easy
  • Early adopters for feedback and bug reports

📞 Support

Made with 🌸 by 翠花 | ClawHub Pioneer

Usage Guidance
This package appears to be a legitimate local code-review tool, but there are a few red flags to check before you install or run it: 1) Runtime mismatch: the bundle contains a Node script (analyzer.js) but the skill only lists 'git' as a required binary — ensure your environment has Node and that the skill author updates requirements. 2) Undeclared external integrations: examples show posting reports to Slack (SLACK_WEBHOOK_URL) and running an HTTP API server; the skill does not declare any required env vars for these. Only provide webhooks or tokens if you trust the skill and its source. 3) Confirm source and provenance: the registry entry has no homepage and an unknown owner; if you can't audit the code yourself, treat it as higher risk. 4) Audit the code: review analyzer.js and EXAMPLES.md locally before running; pay attention to any code paths that open network connections, spawn processes, or write files outside the project. 5) Run in a restricted environment first: test in an isolated/sandboxed repo or container, avoid giving CI secrets or webhooks until you're confident. 6) If you plan to enable pre-commit hooks or scheduled runs, inspect and control those hooks yourself rather than automatically applying them. If you want me to, I can: list the exact places analyzer.js performs file or network I/O, point out any lines that would execute child processes, or produce a minimal checklist for safely auditing and running this skill.
Capability Analysis
Type: OpenClaw Skill Name: cuihua-code-reviewer Version: 1.0.0 The code-reviewer skill is a static analysis tool designed to identify security vulnerabilities, performance bottlenecks, and code quality issues. The core logic in analyzer.js uses regular expressions to detect patterns such as hardcoded secrets, command injection, and SQL injection, while test-bad-code.js serves as a legitimate test suite for these detections. The tool operates locally, lacks network exfiltration capabilities, and its instructions in SKILL.md are strictly aligned with its stated purpose of assisting developers in improving code safety.
Capability Assessment
Purpose & Capability
The name, description, SKILL.md and included analyzer.js/test files are coherent for a code-reviewer. However the declared requirements list only 'git' while the shipped implementation is a Node script (analyzer.js) — the skill does not declare 'node' or the Node runtime as a required binary. Examples also reference environment variables (e.g., SLACK_WEBHOOK_URL) and features (API server mode, CI/CD integration) that are not declared in requires.env. These omissions are inconsistent with the stated capabilities and should be corrected or explained.
Instruction Scope
Most runtime instructions stay within the code-review scope (reading files, analyzing, generating reports). But examples and SKILL.md include steps that transmit reports externally (Slack webhook example, CI job that uploads reports, an API server example that accepts code over HTTP), and the SKILL.md claims ‘Runs locally - code never leaves your machine’ while also documenting ways to send data to external endpoints. The skill's runtime code (analyzer.js) reads arbitrary files via fs APIs and example scripts show analyzing entire directories and scheduled reviews — which is expected for a reviewer but increases blast radius if paired with external reporting/webhook configuration. Also SKILL.md mentions using OpenClaw's 'read' tool but the implementation uses fs.readFileSync directly — a minor mismatch in how file access is done.
Install Mechanism
There is no external install step that downloads remote archives or runs scripts from arbitrary URLs — the package is instruction+source included in the bundle (analyzer.js, examples, tests). That lowers install-time supply-chain risk. No brew/npm/go downloads or extract-from-URL instructions are present.
Credentials
The skill declares no required environment variables, yet documentation and example code reference process.env.SLACK_WEBHOOK_URL and other env-driven behavior (e.g., sending notifications). The analyzer also scans for hardcoded secrets and contains test code with a fake OpenAI key; that's expected. But lack of declared env requirements (and lack of a declared primary credential) is an omission: if you wire up webhooks or CI, sensitive tokens could be used to transmit data externally. Also omission of 'node' as a required binary is inconsistent with the Node-based analyzer implementation.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform privileges. It does not modify other skills. Examples include installing a pre-commit hook and running scheduled cron jobs — those are user actions and not automatic. Autonomous invocation is enabled by default (disable-model-invocation: false) which is standard; this combined with the above concerns increases impact if the skill were malicious, but on its own is not unusual.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cuihua-code-reviewer
  3. After installation, invoke the skill by name or use /cuihua-code-reviewer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
🌸 First release! AI-powered code review for OpenClaw agents.
Metadata
Slug cuihua-code-reviewer
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Cuihua Code Reviewer?

AI-powered code review assistant for OpenClaw agent developers. Automatically analyzes code quality, detects security vulnerabilities, performance issues, an... It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.

How do I install Cuihua Code Reviewer?

Run "/install cuihua-code-reviewer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cuihua Code Reviewer free?

Yes, Cuihua Code Reviewer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Cuihua Code Reviewer support?

Cuihua Code Reviewer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cuihua Code Reviewer?

It is built and maintained by supermario11 (@supermario11); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments