← Back to Skills Marketplace
Fastapi Code Review
by
Kevin Anderson
· GitHub ↗
· v1.1.1
· MIT-0
216
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install fastapi-code-review
Description
Reviews FastAPI code for routing patterns, dependency injection, validation, and async handlers. Use when reviewing FastAPI apps, checking APIRouter setup, D...
README (SKILL.md)
FastAPI Code Review
Quick Reference
| Issue Type | Reference |
|---|---|
| APIRouter setup, response_model, status codes | references/routes.md |
| Depends(), yield deps, cleanup, shared deps | references/dependencies.md |
| Pydantic models, HTTPException, 422 handling | references/validation.md |
| Async handlers, blocking I/O, background tasks | references/async.md |
Review Checklist
- APIRouter with proper prefix and tags
- All routes specify
response_modelfor type safety - Correct HTTP methods (GET, POST, PUT, DELETE, PATCH)
- Proper status codes (200, 201, 204, 404, etc.)
- Dependencies use
Depends()not manual calls - Yield dependencies have proper cleanup
- Request/Response models use Pydantic
- HTTPException with status code and detail
- All route handlers are
async def - No blocking I/O (
requests,time.sleep,open()) - Background tasks for non-blocking operations
- No bare
exceptin route handlers
Valid Patterns (Do NOT Flag)
These are idiomatic FastAPI patterns that may appear problematic but are correct:
- Pydantic validates request body automatically - No manual validation needed when using typed Pydantic models as parameters
- Dependency injection for database sessions - Sessions come from
Depends(), not passed as function arguments - HTTPException for all HTTP errors - FastAPI handles conversion to proper HTTP responses
- Async def endpoint without await - May be using sync dependencies or simple operations; FastAPI handles this
- Type annotation on Depends() - This is documentation/IDE support, not a type assertion
- Query/Path/Body defaults - FastAPI processes these at runtime, not traditional Python defaults
- Returning dict from endpoint - Pydantic converts automatically if
response_modelis set
Context-Sensitive Rules
Only flag issues when the context warrants it:
- Flag missing validation ONLY IF the field isn't already in a Pydantic model with validators
- Flag missing auth ONLY IF the endpoint isn't using
Depends()with an auth dependency - Flag missing error handling ONLY IF HTTPException isn't raised appropriately for error cases
- Flag sync in async ONLY IF the operation is actually blocking (file I/O, network calls, CPU-bound), not just non-async
Gates (FastAPI-specific)
Run once per FastAPI-related finding, after you can anchor file:line for the handler (see review-verification-protocol) and before the finding text ships. If a step’s pass condition is not met, do not assert the finding as written—gather evidence, withdraw, downgrade severity, or rephrase as a question.
Gate 1 — Route decorator and response surface
| Step | Action | Pass condition |
|---|---|---|
| 1a | Open the handler’s route decorator in the repo (not from memory). | file:line for @router.* / @app.* (or the site that registers this handler). |
| 1b | Record HTTP method, response_model=, and status_code= on that decorator (or note they are absent). |
Snippet from that line or explicit absent with the same file:line. |
Gate 2 — Blocking or “should be async”
| Step | Action | Pass condition |
|---|---|---|
| 2a | Read the full handler body. | file:line range covering the body. |
| 2b | If claiming blocking I/O: name each blocking call (e.g. requests., open(, time.sleep, sync DB/ORM). |
Each call has file:line, or withdraw the finding if none after the read. |
Gate 3 — Depends, validation, auth
| Step | Action | Pass condition |
|---|---|---|
| 3a | List parameters: Depends / Annotated[..., Depends], Pydantic models, Body/Query/Path, Request/Response. |
Names + mechanism tied to file:line on the signature. |
| 3b | If claiming missing auth: search the handler file (and its APIRouter module if separate) for Depends, Security, HTTPBearer, or project auth dependencies. |
Citation to an existing hook, or search result: paths searched + N matches (zero is allowed). |
| 3c | If claiming missing validation: confirm the argument is not already a Pydantic model or constrained Query/Path/Body. |
Type/source with file:line, or withdraw if validation already applies. |
FastAPI Framework Behaviors
FastAPI + Pydantic handle many concerns automatically:
- Request validation via Pydantic models
- Response serialization via response_model
- Dependency injection for cross-cutting concerns
- Exception handling via exception handlers
Before flagging "missing" functionality, verify FastAPI isn't handling it.
When to Load References
- Reviewing route definitions → routes.md
- Reviewing dependency injection → dependencies.md
- Reviewing Pydantic models/validation → validation.md
- Reviewing async route handlers → async.md
Review Questions
- Do all routes have explicit response models and status codes?
- Are dependencies injected via Depends() with proper cleanup?
- Do all Pydantic models validate inputs correctly?
- Are all route handlers async and non-blocking?
Before Submitting Findings
- For each FastAPI-related finding, complete Gates (FastAPI-specific) above.
- Load and follow review-verification-protocol (Pre-Report checklist and Verification by Issue Type) before reporting any issue.
Usage Guidance
This skill appears to do exactly what it says: guide a FastAPI code review by reading source files. It's low-risk because it has no install or secret requirements, but be aware it needs read access to your repository to operate. Before installing/run: (1) ensure you don't expose secrets in the repository (API keys, credentials, .env files), (2) confirm the missing referenced file (review-verification-protocol) if you rely on that gate, and (3) if you allow autonomous invocation, restrict agent permissions or run reviews on a sanitized copy of the codebase.
Capability Assessment
Purpose & Capability
Name/description match the SKILL.md and reference files. The skill only asks the agent to inspect FastAPI code and follow review gates; there are no unrelated env vars, binaries, or installs requested.
Instruction Scope
Runtime instructions explicitly tell the agent to open repository files, anchor findings to file:line, read handler bodies, and search the repo for Depends/Security/etc. That is appropriate for a code-review skill but means the agent must be allowed to read the project's source; also the SKILL.md references ../review-verification-protocol/SKILL.md which is not present in the provided manifest (missing reference).
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes risk because nothing is written to disk or fetched at install time.
Credentials
The skill declares no environment variables, credentials, or config paths. It does not request secrets or external service tokens; this is proportional to a static code-review assistant.
Persistence & Privilege
always:false (not forced into every agent run), user-invocable:true, and model-invocation allowed (normal). Note: because the skill reads repo files when run, allowing autonomous invocation increases the potential impact if combined with other risky skills, but by itself this is expected.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install fastapi-code-review - After installation, invoke the skill by name or use
/fastapi-code-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
FastAPI-specific review protocol is now enforced before reporting findings.
- Added a new "Gates (FastAPI-specific)" section outlining verification steps for route handlers, async/blocking code, dependency injection, validation, and authentication.
- Clarified that each FastAPI finding must pass explicit checks, with `file:line` anchoring, before being submitted.
- Expanded instructions in "Before Submitting Findings" to require running Gates and following the review verification protocol.
- No changes to core usage or checklists; guidance and best practices remain the same.
v1.1.0
- Added SKILL.md with comprehensive review guidelines and checklist for FastAPI code.
- Includes detailed reference mapping for routes, dependencies, validation, and async patterns.
- Clarifies valid FastAPI idioms that should NOT be flagged during review.
- Provides context-sensitive rules to improve accuracy and relevance of flagged issues.
- Introduces a review protocol to follow before submitting findings.
Metadata
Frequently Asked Questions
What is Fastapi Code Review?
Reviews FastAPI code for routing patterns, dependency injection, validation, and async handlers. Use when reviewing FastAPI apps, checking APIRouter setup, D... It is an AI Agent Skill for Claude Code / OpenClaw, with 216 downloads so far.
How do I install Fastapi Code Review?
Run "/install fastapi-code-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Fastapi Code Review free?
Yes, Fastapi Code Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Fastapi Code Review support?
Fastapi Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Fastapi Code Review?
It is built and maintained by Kevin Anderson (@anderskev); the current version is v1.1.1.
More Skills