Ops Code Review

Code Review 安全扫描工具，自动化代码审计，支持 Django/Python、React+TypeScript、PHP 多语言。 自动识别 SVN 提交变更，调用 bandit/pylint/eslint/phpcs 进行安全扫描和代码规范检查， 报告推送飞书群。支持 post-commit hook...

This skill appears to implement an SVN-based multi-language scanner, but there are a few red flags you should address before installing: - Metadata mismatch: The registry says no env vars are required, but SKILL.md and the code require CODE_REVIEW_SVN_USER, CODE_REVIEW_SVN_PASS and CODE_REVIEW_FEISHU_CHAT_ID. Confirm the skill owner and ask them to update metadata to declare these required secrets. - Limit credentials: If you proceed, create a read-only SVN account with minimal scope, and treat CODE_REVIEW_SVN_PASS as a secret. Do not provide high-privilege or admin credentials. - Run installs in isolation: The install steps perform system-global changes (pip --break-system-packages, global npm packages, curl | php for composer). Run the installation in a container, VM, or isolated environment to avoid altering your host system Python/npm state. - Review the hook deployment: The generated SVN post-commit hook calls python3 on a filesystem path; ensure you place the scripts in a controlled location and verify the hook content before enabling it on production SVN servers. - Verify Feishu integration: The code writes messages to /tmp/code_review_pending_msg.json expecting OpenClaw to forward them. Confirm how your OpenClaw instance processes that file and that your Feishu webhook/chat id is configured correctly. - Audit installer commands: Although downloads come from known hosts (getcomposer.org, official package managers), piping remote install scripts to interpreters (curl | php) is a sensitive pattern — fetch and inspect the installer before running. If you cannot validate these points or do not control an isolated environment, treat this skill as risky and prefer to run its scripts manually only after inspection.

Type: OpenClaw Skill Name: ops-code-review Version: 1.0.5 The skill bundle provides a comprehensive code review automation tool for SVN repositories, but it exhibits several high-risk behaviors. It requires and handles sensitive SVN credentials and Feishu IDs via environment variables and local configuration files (svn_manager.py). The installation process involves high-risk actions such as downloading and executing the Composer installer via 'curl | php' and installing Python packages with the '--break-system-packages' flag (SKILL.md, check_dependencies.py). While these behaviors are aligned with the stated purpose of CI/CD automation and code auditing, the combination of credential handling, remote script execution, and broad shell command usage via subprocess calls to various linters warrants a suspicious classification.