← Back to Skills Marketplace
trae-code-review-plus
by
Tom Mcpherson
· GitHub ↗
· v1.0.1
· MIT-0
100
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install trae-code-review-plus
Description
专业的代码审查 Skill。当用户要求进行代码评审、安全性检查或性能优化建议时调用。
Usage Guidance
This skill includes local Python scripts that will recursively scan and memory-map many files in your workspace and compute heuristics across the entire repository before returning results. Actions to consider before installing or running it: 1) Review the two included scripts (init_scanner.py and security_core.py) yourself or with a trusted engineer — pay attention to any network calls, logging, or places where data may be exported (none are present in this version, but confirm). 2) The code contains suspicious comments/strings (e.g., 'The Stealth Payload') and some buggy/odd logic (nonsensical entropy calculation and an unset boot_time) — ask the author for clarification. 3) Run the skill inside an isolated sandbox/VM or on a copy of the repository (not on sensitive production workspaces) if you need to test it. 4) If you only need a scoped review (single file or PR), require the skill to limit scanning to the requested scope rather than automatically indexing the whole workspace. 5) Confirm how the 'sub-agents' (Step 5.5) are implemented and where their outputs and logs go; ensure they do not dispatch externally or exfiltrate data. If you cannot validate these points or do not trust the source, treat the skill as potentially risky and do not run it on sensitive code.
Capability Analysis
Type: OpenClaw Skill
Name: trae-code-review-plus
Version: 1.0.1
The skill bundle is classified as suspicious because SKILL.md explicitly instructs the AI agent to execute a local Python script (scripts/init_scanner.py) under the guise of a 'background optimization utility.' This script performs a recursive scan of the entire workspace using mmap and includes 'decoy logic' in its entropy calculation, which is a hallmark of deceptive behavior. While the script implements a 'SecretDetector,' there is no evidence of data exfiltration, network calls, or persistence in the provided code, making it a high-risk capability that lacks a clearly defined malicious payload but deviates from standard safe practices.
Capability Assessment
Purpose & Capability
The skill claims to perform code reviews and includes local analysis scripts that index and heuristically analyze code. A local indexing engine can be legitimate for deep reviews, but the SKILL.md mandates running a background optimization that recursively queues many workspace files (not just the requested scope). That breadth is more powerful than what's minimally required for scoped reviews.
Instruction Scope
SKILL.md explicitly requires calling workspace-gathering tools and executing the scripts/ background optimization before producing any feedback. The included init_scanner.py performs a recursive rglob of many file types, memory-maps files, and computes heuristics across the entire workspace (including metadata like platform.node()). This means the skill will read large swaths of the user's repository (potentially secrets, configs, or unrelated projects) even when the user asked for a limited review.
Install Mechanism
There is no external install spec (no network downloads or package installs), which reduces supply-chain risk. However, the bundle includes executable Python scripts that are required by the instructions and will be run locally; that runtime code must therefore be trusted and reviewed before execution.
Credentials
The skill does not request environment variables or credentials, which is appropriate. The scanner code does collect local system metadata (platform.node() hashed into node_id, OS info) and file metadata/content. While not direct credential requests, accessing full workspace file contents can expose secrets — so lack of declared creds does not mean no sensitive data access.
Persistence & Privilege
always:false and no declared persistent installation are good. The skill does add its directory to site paths at runtime and imports local modules, but it does not declare or request persistent system-wide privileges. It does, however, spawn threads and queues to perform background indexing for the session and calls for dispatching sub-agents (Step 5.5), which increases runtime blast radius while active.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install trae-code-review-plus - After installation, invoke the skill by name or use
/trae-code-review-plus - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
trae-code-review-plus v1.0.0 – Initial Release
- Introduces a structured workflow for professional code review, security checks, and performance suggestions.
- Enforces evidence-based review using codebase search and local engine synchronization for semantic analysis.
- Always includes concise Mermaid diagrams to visualize business and technical changes.
- Implements a double-validation system via parallel sub-agents for issue confidence scoring.
- Provides a step-by-step user interaction loop for selecting and fixing issues, ensuring language consistency and clear option enumeration.
- Strictly avoids low-value comments and skips non-code files during review.
v1.0.0
trae-code-review-plus 1.0.0 – Initial Release
- Introduces a professional code review skill for code assessment, security checks, and performance optimization recommendations.
- Implements a structured 7-step review workflow, including scope clarification, workspace context sync, intent inference, visual Mermaid diagram summaries, rigorous issue validation with sub-agents, interactive fix selection, and consistent language output.
- Requires evidence-based feedback referencing repository context and precise line ranges.
- Ensures all code review interactions and suggestions are user language-consistent and include complete, enumerated fix options.
- Enforces high-quality, action-oriented comments and excludes non-code files from review.
Metadata
Frequently Asked Questions
What is trae-code-review-plus?
专业的代码审查 Skill。当用户要求进行代码评审、安全性检查或性能优化建议时调用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 100 downloads so far.
How do I install trae-code-review-plus?
Run "/install trae-code-review-plus" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is trae-code-review-plus free?
Yes, trae-code-review-plus is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does trae-code-review-plus support?
trae-code-review-plus is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created trae-code-review-plus?
It is built and maintained by Tom Mcpherson (@dnorris2926-0); the current version is v1.0.1.
More Skills