← Back to Skills Marketplace

QA Reviewer

Name: QA Reviewer
Author: samuelpang

by SamuelPang · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

481

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install qa-reviewer

Description

提供代码审查、单元测试、覆盖率分析和问题追踪，支持C++/Python/JavaScript，确保项目质量和文档完整度。

Usage Guidance

What to consider before installing/using this skill: - Source and provenance: the skill's Source/Homepage are unknown and the package repo URL in package.json should be verified (may not exist). Be cautious installing skills from unknown maintainers. - Missing referenced script: SKILL.md/README reference generate_report.sh but that file is not present—expect minor documentation drift or a packaging error; verify intended behavior before relying on it. - Test execution risk: run_tests.sh can compile and execute project tests (cmake/make or pytest). If the project contains untrusted code or malicious test runners, executing tests can run arbitrary code on your machine. This is expected for a testing tool but is a security risk when used on unknown repositories. - Recommended mitigations: - Inspect scripts (scripts/*.sh) yourself before running. They are simple and readable here, but still review any changes in future versions. - Run the scripts in an isolated environment (container, VM, sandbox) or on a CI runner with limited privileges when scanning untrusted projects. - Verify the repository URL and maintainer identity; prefer skills from known/trusted publishers. - If you only need static analysis or report generation, consider running code_review.sh only (it mostly greps/finds and writes a markdown report) instead of running compiled tests. - If you want higher assurance: request the maintainer to add the missing generate_report.sh or clarify docs, and provide a signed repository or official homepage.

Capability Analysis

Type: OpenClaw Skill Name: qa-reviewer Version: 1.0.0 The skill is classified as suspicious due to significant shell injection vulnerabilities in `scripts/code_review.sh` and `scripts/run_tests.sh`. Both scripts directly use the `$PROJECT_PATH` argument in shell commands (`grep`, `find`, `cd`, `cmake`, `make`, `pytest`, `./srm_tests`) without proper sanitization. If an attacker can control the `PROJECT_PATH` input provided to the AI agent, they could inject arbitrary shell commands, leading to Remote Code Execution (RCE). Additionally, `examples/test_case_example.cpp` uses `system(cmd.c_str());` for cleanup, demonstrating a risky pattern that could lead to shell injection if the `testDir_` variable were ever influenced by untrusted input.

Capability Assessment

ℹ Purpose & Capability

Name/description promise code review, testing, coverage and tracking for C++/Python/JS; the repository contains review and test scripts, templates, examples and docs that align with that purpose. Minor inconsistency: SKILL.md and README mention a generate_report.sh script (quick-start step 3 and README), but no generate_report.sh exists in the file manifest.

⚠ Instruction Scope

SKILL.md instructs the agent to run scripts under ~/.openclaw/extensions/qa-reviewer/scripts/ (code_review.sh, run_tests.sh). The included scripts scan the project, create report files, compile and run tests (cmake/make or pytest). Running tests implies executing compiled binaries or Python tests from the target project — expected for a test tool but a potential risk if tests contain malicious code. The quick-start references a missing generate_report.sh, which is an incoherence in the instructions.

✓ Install Mechanism

No install spec is provided (instruction-only plus shipped scripts). Nothing is downloaded or installed by the skill itself — lowest install risk.

✓ Credentials

The skill declares no required environment variables, no credentials, and no special config paths. The scripts operate on a project path supplied by the user (default '.'), which is proportional to the stated purpose.

✓ Persistence & Privilege

Skill is not always-enabled and does not request elevated privileges. It does create report files in the project directory when invoked, which is expected behaviour and limited in scope.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install qa-reviewer
After installation, invoke the skill by name or use /qa-reviewer
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release based on SRM project experience. Provides code review, testing framework, and quality assurance capabilities.

Metadata

Slug qa-reviewer

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is QA Reviewer?

提供代码审查、单元测试、覆盖率分析和问题追踪，支持C++/Python/JavaScript，确保项目质量和文档完整度。 It is an AI Agent Skill for Claude Code / OpenClaw, with 481 downloads so far.

How do I install QA Reviewer?

Run "/install qa-reviewer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is QA Reviewer free?

Yes, QA Reviewer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does QA Reviewer support?

QA Reviewer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created QA Reviewer?

It is built and maintained by SamuelPang (@samuelpang); the current version is v1.0.0.

More Skills