← Back to Skills Marketplace
review-sendmsg
by
dexing2635-tech
· GitHub ↗
· v1.0.0
· MIT-0
156
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-review-sendmsg
Description
Perform detailed Python code reviews identifying bugs, security risks, test gaps, and maintainability issues in diffs, patches, or pull requests.
Usage Guidance
This package contains runnable scripts that will (if configured) send repository diffs to an external LLM endpoint and post logs/notifications to Telegram, but the registry metadata does not declare those environment variables or behaviors. Before installing or running: 1) Do not provide your production LLM API key or real repo credentials until you verify the maintainer and endpoint (LLM_API_URL points to a third-party host). 2) Inspect PROJECTS_DATA to ensure it doesn't point to sensitive/private git URLs. 3) If you need only interactive review functionality, consider removing or disabling the review_runner/telegram parts. 4) Run the scripts in an isolated/test environment (no access to private secrets or production repos). 5) Ask the author/owner for clarification: why the description says 'Python review' while the code reviews many languages, and why required env vars were omitted from the skill metadata. If you cannot verify these answers, treat the skill as untrusted and avoid supplying secrets or connecting it to sensitive repositories.
Capability Analysis
Type: OpenClaw Skill
Name: skill-review-sendmsg
Version: 1.0.0
The skill bundle provides a functional framework for automated code reviews across multiple languages (PHP, JS, TS, SQL, Shell). It utilizes local linters (e.g., php -l, node --check) and integrates with the DeepSeek LLM API to analyze git diffs, reporting results via Telegram. While it executes shell commands via subprocess and communicates with external APIs, these actions are strictly aligned with its stated purpose of code auditing and notification, with no evidence of malicious intent, credential theft, or unauthorized data exfiltration.
Capability Assessment
Purpose & Capability
The skill is described as a Python code-review helper, but the included scripts target multiple languages (.php, .js, .ts, .sql, .sh), implement a multi-project runner, and send results to an external LLM and Telegram. The registry declares no required environment variables or credentials, yet the code expects LLM_API_KEY, LLM_API_URL, LLM_MODEL, TG_BOT_TOKEN, TG_CHAT_ID, PROJECTS_DATA, and various dirs. These capabilities are broader than the description and the requested/declared requirements.
Instruction Scope
SKILL.md only describes a structured Python review and references local helper scripts but does not mention network I/O, sending notifications, or multi-repo automation. In contrast, the scripts read .env, call an external LLM endpoint with diffs, run subprocesses (git, php, node, bash), write log files, and post messages/documents to Telegram. That expands the runtime scope beyond what the instructions disclose.
Install Mechanism
There is no install spec (instruction-only), which limits installer-level risk. The repository includes requirements.txt (requests, python-dotenv) — common and expected for networked Python scripts. Because the skill ships runnable scripts, installing/ running them will execute network calls and subprocesses on the host; the absence of an install script reduces supply-chain risk but does not eliminate execution-time risk.
Credentials
The skill registry lists no required env vars, but the code requires secrets and config: LLM_API_KEY (and URL/model), TG_BOT_TOKEN and TG_CHAT_ID, PROJECTS_DATA (which can contain git URLs/branches and target chats), and other runtime dirs. Those variables permit sending repository diffs to a third-party LLM service and posting logs to Telegram — powerful exfiltration channels that are not justified or declared by the public metadata.
Persistence & Privilege
always:false and no special privilege flags are set. The skill does not request forced always-on inclusion. However, the runner script is designed to run as a multi-project cron-like process (state, lock, work directories), so if installed and scheduled it could run regularly and contact external services; this is a behavioral risk but not a declared platform privilege.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-review-sendmsg - After installation, invoke the skill by name or use
/skill-review-sendmsg - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of skill-review-sendmsg:
- Provides structured reviews for Python code changes with checks for correctness, safety, test coverage, and maintainability.
- Outlines a clear workflow for code review, focusing on real, actionable issues.
- Outputs concise verdicts, prioritizing high-severity findings with file/line references and fix suggestions.
- Includes descriptions of usage scenarios and helper scripts for review logic and automation.
- Ensures practical, specific feedback and advises when information is missing or a change is fine.
Metadata
Frequently Asked Questions
What is review-sendmsg?
Perform detailed Python code reviews identifying bugs, security risks, test gaps, and maintainability issues in diffs, patches, or pull requests. It is an AI Agent Skill for Claude Code / OpenClaw, with 156 downloads so far.
How do I install review-sendmsg?
Run "/install skill-review-sendmsg" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is review-sendmsg free?
Yes, review-sendmsg is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does review-sendmsg support?
review-sendmsg is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created review-sendmsg?
It is built and maintained by dexing2635-tech (@dexing2635-tech); the current version is v1.0.0.
More Skills