← Back to Skills Marketplace
223
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install clawd-code-reviewer
Description
Automated code review, quality gates, and PR analysis. Integrates with GitHub, GitLab, Bitbucket. Enforce style guides, detect bugs, security vulnerabilities...
README (SKILL.md)
Code Reviewer Skill
Automate code review. Ship faster with confidence.
When to Use
✅ USE this skill when:
- "Review all my pull requests automatically"
- "Enforce our coding standards"
- "Detect security vulnerabilities in PRs"
- "Block performance anti-patterns"
- "Auto-approve trivial changes"
- "Generate review comments on PRs"
- "Ensure no secrets or credentials committed"
When NOT to Use
❌ DON'T use this skill when:
- Architecture-level changes (needs senior human review)
- Complex business logic rewrites
- Security-critical changes (requires human approval anyway)
- Initial project setup (manual setup needed)
💪 The Developer Pain Point
Manual code review sucks:
- Context switching: 15 min per PR → 5 hours/week
- Missing subtle bugs: production incidents
- Inconsistent standards: code quality varies
- Slow feedback: developers wait hours/days
- Review fatigue: important issues get missed
Our solution: Instant, consistent, comprehensive reviews Time saved: 5-10 hours/week per developer Value: $300-600/week at $60/hr → $12,000-24,000/month per dev team
Pricing: $29-99/month per repo ROI: Hours saved in first week
Features
1. Style & Linting Enforcement
rules:
- style:
tools: ["eslint", "prettier", "rubocop", "black", "gofmt"]
auto_fix: true
comment: |
Style issues found. Run `pnpm run lint:fix` to auto-fix.
- complexity:
max_cyclomatic: 10
max_nesting: 4
comment: |
Function too complex (cyclomatic: {{complexity}}/10). Consider refactoring.
- duplication:
max_lines_duplicate: 10
ignore_tests: true
2. Bug Detection
bugs:
- null_pointer:
languages: ["java", "csharp", "kotlin"]
severity: "high"
- resource_leak:
languages: ["go", "rust", "c++"]
severity: "critical"
- race_condition:
languages: ["go", "java", "javascript"]
patterns: ["mutex", "atomic", "promise"]
- off_by_one:
languages: ["c", "cpp", "java"]
patterns: ["loop_index", "array_access"]
- improper_error_handling:
languages: ["python", "javascript", "ruby"]
patterns: ["try-catch", "throw", "except"]
3. Security Scanning
security:
- secrets_detection:
patterns:
- aws_secret_key: "AKIA[0-9A-Z]{16}"
- slack_token: "xox[baprs]-[0-9a-zA-Z-]+"
- github_token: "ghp_[0-9a-zA-Z]{36}"
- private_key: "-----BEGIN [A-Z ]+ PRIVATE KEY-----"
action: "fail_ci" # Block merge
comment: |
🚨 **SECRET DETECTED**
Never commit credentials! Use environment variables or secret manager.
This PR cannot be merged until removed.
- sql_injection:
patterns: ["exec(.*SQL)", "raw_query(.*)", "format(.*SELECT)"]
languages: ["python", "php", "javascript"]
severity: "critical"
- xss:
patterns: ["innerHTML", "document.write", "dangerouslySetInnerHTML"]
languages: ["javascript", "typescript", "react"]
severity: "high"
- path_traversal:
patterns: ["__dirname+", "os.path.join(user_input)"]
languages: ["node", "python"]
severity: "high"
- license_compliance:
check: ["commercial_use", "copyleft", "patent_risk"]
block_merge: true
4. Performance Anti-Patterns
performance:
- n+1_queries:
languages: ["ruby", "javascript", "python"]
frameworks: ["rails", "django", "express"]
comment: |
N+1 query detected! Use eager loading (`.includes()` or `select_related`).
- inefficient_loop:
patterns: ["for(i=0;i\x3Clist.length;i++)", "for key in dict:"]
suggest: "List comprehension / map / filter"
- large_object_alloc:
pattern: "new.*inside.*loop"
comment: "Allocating object in loop → move outside"
- blocking_io:
pattern: "await fetch|sync_http_call"
suggest: "Use async / non-blocking"
5. Architecture & Design
architecture:
- god_object:
max_methods: 20
max_lines: 500
comment: |
This class is too large ({{methods}} methods, {{lines}} LOC).
Consider splitting responsibilities.
- feature_envy:
pattern: "class A using data from class B extensively"
suggest: "Move method to class B"
- circular_dependency:
modules: ["a", "b", "c"]
severity: "high"
Quick Start
1. Connect Repository
# Install reviewer on a GitHub repo
clawhub code-reviewer install --repo github.com/yourorg/yourrepo
# Configure (opens editor)
clawhub code-reviewer config --repo github.com/yourorg/yourrepo
2. Enable Rules
# ~/.openclaw/code-reviewer/rules.yaml
include:
- "security-high"
- "style"
- "performance"
exclude:
- "performance/n_plus_one" # Some false positives
when: "test_files_only"
severity_overrides:
- "sql_injection": "block" # Fail CI
- "style/variable_name": "comment" # Just warn
3. Configure Actions
actions:
on_pr_open:
- "review" # Post review comments
- "label" # Add labels (needs-work / safe / security)
on_pr_update:
- "review" # Re-review
auto_approve:
when:
- "all_checks_pass == true"
- "author in [maintainer_team]"
- "changed_files \x3C 5"
# Skip required reviewers
block_merge:
when:
- "security_issues_found"
- "test_coverage \x3C 80%"
message: |
❌ Merge blocked:
- {{security_issues_found}} security issues
- Test coverage {{test_coverage}}% \x3C 80%
Fix before merging.
GitHub App Setup
# Create GitHub App (one time)
clawhub code-reviewer create-app \
--name "Code Reviewer" \
--webhook-url "https://api.clawhub.com/webhooks/github" \
--permissions "contents=read, pull_requests=write"
# Install on repositories
clawhub code-reviewer install \
--app-id 12345 \
--repo github.com/yourorg/yourrepo
# Or install on all org repos
clawhub code-reviewer install-org \
--org yourorg \
--app-id 12345
Review Comments Example
What reviewers see in PR:
🔍 **Code Review Summary**
✅ **Passed**: 12 checks
⚠️ **Warnings**: 3
❌ **Failed**: 1 (blocking)
---
### Security 🛡️
- ❌ **Hardcoded secret** in line 42 (`config.py`)
> Remove immediately and rotate credential.
### Performance ⚡
- ⚠️ **N+1 query** in `user_controller.rb:28`
> Use `.includes(:profile)` to load associated records in one query.
### Style 🎨
- ⚠️ **Variable name** `x` is too short (line 15)
> Use descriptive names; min length 3 chars.
- ⚠️ **Missing trailing comma** in multi-line array (line 78)
---
💡 **Suggestions**
1. Run `./gradlew test` → 3 tests failing
2. Code coverage: 75% (target: 80%)
3. Consider adding unit tests for `PaymentProcessor` class
---
🔒 **Auto-approval status**: ❌ Not eligible (security issue blocks)
Custom Rules
Write Your Own (YAML)
custom_rules:
- id: "no_todo_comments"
pattern: "TODO|FIXME|HACK"
message: "Remove technical debt comment before merging"
severity: "warning"
- id: "no_debugger"
pattern: "debugger|pdb.set_trace|console.log"
message: "Remove debugging code"
severity: "fail"
- id: "no_console_in_prod"
pattern: "console.log"
files: "src/**/*.js"
except: "tests/**"
severity: "warning"
- id: "feature_flag_required"
pattern: "if.*new_feature"
message: "Wrap in feature flag: `if (flags.newFeature)`"
severity: "warning"
- id: "require_tests"
condition: "added_lines > 50 && test_files_modified == 0"
message: "Large change without tests. Add tests for new code."
severity: "fail"
Python Rule Example
# rules/python/no_assert_in_prod.py
from codereviewer import Rule
class NoAssertInProd(Rule):
def check(self, file, line):
if line.contains("assert ") and not file.path.contains("test"):
return self.fail("Remove assert in production code")
GitHub Actions Integration
.github/workflows/code-review.yml:
name: Code Review
on:
pull_request:
branches: [main, develop]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Code Reviewer
uses: clawhub/code-reviewer@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
config: .codereview.yaml
GitLab CI/CD
.gitlab-ci.yml:
code-review:
stage: test
script:
- clawhub code-reviewer run --config .codereview.yaml
artifacts:
reports:
code-review: review-report.json
Slack Notifications
notifications:
slack:
channel: "#code-reviews"
on:
- "security_issue"
- "pr_blocked"
- "pr_approved"
format:
blocks:
- type: "header"
text: "{{pr_title}}"
- type: "section"
text: "{{review_summary}}"
- type: "actions"
elements:
- type: "button"
text: "View PR"
url: "{{pr_url}}"
Pricing
Open Source (Free)
- Public repos: free
- Community rules only
- Basic style checks
Pro ($29/mo per repo)
- Private repos
- Custom rules
- Security scanning
- Slack/Teams alerts
- Unlimited reviewers
Business ($99/mo per org)
- All Pro features
- Enterprise security rules
- SSO / SAML
- Audit logs
- Priority support
Enterprise ($499+/mo)
- Unlimited everything
- Custom rule writing service
- On-premise deployment
- SLA guarantees
- Dedicated engineer
Competitive Comparison
| Feature | ReviewDog | SonarQube | CodeClimate | Code Reviewer |
|---|---|---|---|---|
| Price | Free (self-host) | $150/mo | $49/mo | $29/mo |
| GitHub integration | ✅ | ✅ | ✅ | ✅ |
| Custom rules | ✅ | ✅ | ⚠️ limited | ✅ unlimited |
| Auto-approve | ❌ | ❌ | ❌ | ✅ |
| AI suggestions | ❌ | ❌ | ❌ | ✅ |
| Setup time | hours | days | hours | minutes |
Launch Plan
- Build core review engine
- Publish 50+ built-in rules
- Create rule marketplace (community contributed)
- Add AI-powered suggestions (GPT-4)
- Support Bitbucket, Azure DevOps
- Publish to GitHub Marketplace
- Partner with OpenClaw for integration
Automate code reviews. Ship faster, sleep better. 🔍✨
Usage Guidance
What to check before installing:
- Ask the publisher to explain the auth model: does this use a GitHub App, an OAuth token, or personal access tokens? Request a minimal-scoped GitHub App option and explicit list of required scopes (read-only for comments; write/merge only if strictly necessary).
- Resolve the binary/CLI mismatch: SKILL.md examples use 'clawhub', but metadata lists 'openclaw' and 'github'—confirm the actual CLI and its provenance before running it.
- Require explicit install steps and a signed release or well-known distribution channel (not an unverified binary you must download manually).
- Don’t grant admin/merge rights until you can audit the code or run the skill in a restricted, test repo. Prefer provisioning a service account with least privilege and audit logs.
- Verify how the skill stores and protects repository tokens (where on disk, file permissions, rotation policy).
- If you need this capability but don’t trust the vendor yet, run the skill in read-only mode (comments only) on a sandbox repo and monitor actions.
If the publisher provides clear, coherent install docs that declare the exact credentials and minimum required scopes (or a GitHub App with install tokens), and fixes the CLI/binary inconsistencies, this assessment could change to benign.
Capability Analysis
Type: OpenClaw Skill
Name: clawd-code-reviewer
Version: 1.0.0
The skill bundle describes an automated code review tool called 'code-reviewer'. The SKILL.md file contains documentation, configuration examples, and CLI usage instructions for features such as linting, security scanning (e.g., secret detection, SQL injection), and CI/CD integration. There is no evidence of malicious intent, data exfiltration, or prompt injection; the content is entirely consistent with its stated purpose of assisting developers with code quality and security audits.
Capability Assessment
Purpose & Capability
The skill claims full integration with GitHub/GitLab/Bitbucket and can auto-approve or block merges, but declares no required environment variables or credentials and lists unexpected binaries. Example mismatches: Quick Start uses a 'clawhub' CLI, but required bins list 'openclaw'/'github' (not 'clawhub' or 'gh'). Integrating and performing actions on repos inherently requires API credentials or a GitHub App — those are not declared.
Instruction Scope
SKILL.md instructs the agent to install/configure the reviewer on repos, post review comments, add labels, auto-approve PRs, and block merges. These instructions imply reading/writing repo metadata and taking privileged actions (skipping required reviewers). The doc references ~/.openclaw config files and running 'clawhub code-reviewer install', but does not specify how credentials are obtained or limited. The skill's instructions therefore request broad capabilities without defining required auth or safety limits.
Install Mechanism
No install spec (instruction-only), so nothing will be downloaded or written by an installer step. This lowers risk compared to packaged installs, but leaves the runtime behavior entirely governed by the prose instructions — which are inconsistent and incomplete.
Credentials
The skill declares zero required environment variables or primary credential, yet its functionality (integrating with repos, posting comments, auto-approving, blocking merges) necessarily requires repo credentials or a Git provider app. This absence is disproportionate and unexplained. The skill also references detection of tokens (ghp_, xox*, AKIA...) but doesn't state how secrets or tokens will be provided or protected.
Persistence & Privilege
always:false (no forced inclusion) which is appropriate. Autonomous invocation is allowed (default) — combined with the skill's implied ability to approve/merge PRs this could be powerful if credentials are supplied. The skill stores configuration under ~/.openclaw/code-reviewer (expected), but there is no mention of limiting or auditing the permissions it would use when acting on repositories.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawd-code-reviewer - After installation, invoke the skill by name or use
/clawd-code-reviewer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Code Reviewer?
Automated code review, quality gates, and PR analysis. Integrates with GitHub, GitLab, Bitbucket. Enforce style guides, detect bugs, security vulnerabilities... It is an AI Agent Skill for Claude Code / OpenClaw, with 223 downloads so far.
How do I install Code Reviewer?
Run "/install clawd-code-reviewer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Code Reviewer free?
Yes, Code Reviewer is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Code Reviewer support?
Code Reviewer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Code Reviewer?
It is built and maintained by Fuhaolin (@fuczy); the current version is v1.0.0.
More Skills