← Back to Skills Marketplace
149
Downloads
1
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install gitlab-auto-review
Description
Automated AI code review for GitLab Merge Requests via polling. Periodically checks for open MRs, reviews code diffs for security vulnerabilities, bugs, and...
README (SKILL.md)
GitLab MR Code Review
Polling-based automated code review for GitLab MRs.
Architecture
Cron (*/2 * * * *) → gitlab-api.js list-mrs → skip reviewed → fetch diff → AI review → post comments/note
- No webhook server — pure polling
- Reviewed MRs tracked in
{baseDir}/mr-reviewed.json
Setup
- Create
{baseDir}/.envwith your GitLab credentials:
The script auto-loads this file. Environment variables take precedence (won't be overwritten if already set).GITLAB_URL=https://gitlab.example.com GITLAB_TOKEN=glpat-xxxxxxxxxxxxxxxxxxxx - Test:
node {baseDir}/scripts/gitlab-api.js get-version - Install cron worker — see references/cron-setup.md for the full command
API Script Reference
node {baseDir}/scripts/gitlab-api.js get-version # Test connection
node {baseDir}/scripts/gitlab-api.js list-mrs # List open MRs
node {baseDir}/scripts/gitlab-api.js list-mrs --project \x3Cproject_path> # Filter by project
node {baseDir}/scripts/gitlab-api.js get-changes \x3Cproject_id> \x3Cmr_iid> # Fetch MR diff
node {baseDir}/scripts/gitlab-api.js get-file \x3Cproject_id> \x3Cbranch> \x3Cpath> # Fetch file content
node {baseDir}/scripts/gitlab-api.js post-comment --file \x3Cjson> \x3Cpid> \x3Ciid> # Inline comment (use --file!)
node {baseDir}/scripts/gitlab-api.js post-note \x3Cproject_id> \x3Cmr_iid> '\x3Ctext>' # Summary note
post-comment JSON format
{
"body": "**[Critical]** sql_injection\
\
Raw query with user input.",
"position": {
"base_sha": "abc123",
"start_sha": "def456",
"head_sha": "ghi789",
"new_path": "src/db.js",
"new_line": 42
}
}
base_sha/start_sha/head_sha come from get-changes output's diff_refs.
Review Rules
- Default: references/review-guidelines.md — severity levels, output format, what to skip
- Per-project: Place
.gitlab-review-prompt.mdin the repo root; the worker auto-fetches it viaget-file
Troubleshooting
| Problem | Fix |
|---|---|
| MRs not reviewed | openclaw cron list — is worker enabled? |
| API errors | node {baseDir}/scripts/gitlab-api.js get-version |
| Duplicate reviews | Check {baseDir}/mr-reviewed.json exists and is writable; ensure cron prompt has explicit "never re-review" rule at highest priority |
| Garbled comments | Use --file mode for post-comment (Windows PowerShell encoding) |
| Wrong line numbers | new_line must be the line number in the NEW version of the file |
Usage Guidance
This skill appears to do what it says, but take these precautions before enabling it:
- Review the included script (scripts/gitlab-api.js) yourself — it makes only GitLab API calls and writes/reads a local reviewed-log file.
- Use a least-privilege GitLab token: grant only the scopes needed to read MRs and post comments/notes (avoid full admin scopes). Prefer a project-scoped token if possible.
- Protect the .env file and any stored token (file permissions, secrets manager) and rotate the token if compromised.
- Test the worker in a safe/test project first to verify behavior and comment formatting.
- Note the cron setup instructs the worker to run without prompts — ensure you want an unattended process that will post directly to MRs.
- Minor technical notes: the helper uses md5-based line_code (comment text said SHA256), and it relies on Node's fetch availability (Node 18+ or polyfill). Ensure your environment matches.
If you want tighter control, run the script manually or limit the cron schedule while evaluating, and confirm the token scope before granting it to the worker.
Capability Analysis
Type: OpenClaw Skill
Name: gitlab-auto-review
Version: 1.0.3
The skill is a legitimate automation tool for GitLab Merge Request reviews via polling. It uses a Node.js helper script (gitlab-api.js) to interact with the GitLab API using user-provided credentials (GITLAB_TOKEN). The instructions in SKILL.md and cron-setup.md are strictly aligned with the stated purpose of checking for new MRs, fetching diffs, and posting AI-generated feedback. The implementation includes defensive practices, such as using temporary files for JSON payloads to avoid shell injection or encoding issues. No evidence of data exfiltration, unauthorized execution, or malicious prompt injection was found.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (automated MR review) align with requested binaries (node), required env vars (GITLAB_URL, GITLAB_TOKEN), and included scripts that call the GitLab API. The primary credential is the GitLab token as expected.
Instruction Scope
SKILL.md and cron instructions stay inside the review workflow (polling MRs, fetching diffs, posting comments/notes). They explicitly direct the agent to read/write {baseDir}/mr-reviewed.json and to create a local .env with credentials (expected for an autonomous worker). The cron message instructs the worker to "Do not ask for permission — execute directly," which is normal for unattended cron workers but worth noting because it emphasizes autonomous actions.
Install Mechanism
No install spec — instruction-only with a single local JS helper script. Nothing is downloaded or installed from external arbitrary URLs.
Credentials
Only GITLAB_URL and GITLAB_TOKEN are required, which are proportional to the task. No unrelated credentials, secrets, or unexpected config paths are requested.
Persistence & Privilege
Skill doesn't set always:true. The provided cron setup will create a persistent scheduled worker that runs autonomously (the cron message explicitly tells the worker to act without asking). This is reasonable for automation but increases how often the token is used and the blast radius if the token has broad scopes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install gitlab-auto-review - After installation, invoke the skill by name or use
/gitlab-auto-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
Version 1.0.3
- Added troubleshooting guidance: clarify that cron prompt should have an explicit "never re-review" rule at highest priority to prevent duplicate reviews.
- No code or functional changes; documentation update only.
v1.0.1
- Updated setup instructions to clarify creation and use of the `{baseDir}/.env` file for GitLab credentials.
- Noted that environment variables take precedence over `.env` values and will not be overwritten if already set.
- No functional changes to the skill itself; documentation improvements only.
v1.0.0
- Initial release: Automated AI code review for GitLab Merge Requests via polling.
- Reviews code diffs for security, bugs, and best practices, posting inline comments and summary notes directly on GitLab.
- Supports custom project-level review rules with `.gitlab-review-prompt.md`.
- Simple setup: configure via environment variables and cron job; no webhooks required.
- Includes troubleshooting tips and a detailed API script reference for integration and testing.
Metadata
Frequently Asked Questions
What is GitLab MR Code Review?
Automated AI code review for GitLab Merge Requests via polling. Periodically checks for open MRs, reviews code diffs for security vulnerabilities, bugs, and... It is an AI Agent Skill for Claude Code / OpenClaw, with 149 downloads so far.
How do I install GitLab MR Code Review?
Run "/install gitlab-auto-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is GitLab MR Code Review free?
Yes, GitLab MR Code Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does GitLab MR Code Review support?
GitLab MR Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created GitLab MR Code Review?
It is built and maintained by gotoloops (@gotoloops); the current version is v1.0.3.
More Skills