← Back to Skills Marketplace
anderskev

Liveview Code Review

by Kevin Anderson · GitHub ↗ · v1.2.1 · MIT-0
cross-platform ⚠ suspicious
175
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install liveview-code-review
Description
Reviews Phoenix LiveView code for lifecycle patterns, assigns/streams usage, components, and security. Use when reviewing LiveView modules, .heex templates,...
README (SKILL.md)

LiveView Code Review

Quick Reference

Issue Type Reference
mount, handle_params, handle_event, handle_async references/lifecycle.md
When to use assigns vs streams, AsyncResult references/assigns-streams.md
Function vs LiveComponent, slots, attrs references/components.md
Authorization per event, phx-value trust references/security.md

Review Checklist

Critical Issues

  • No socket copying into async functions (extract values first)
  • Every handle_event validates authorization
  • No sensitive data in assigns (visible in DOM)
  • phx-value data is validated (user-modifiable)

Lifecycle

  • Subscriptions wrapped in connected?(socket)
  • handle_params used for URL-based state
  • handle_async handles :loading and :error states

Data Management

  • Streams used for large collections (100+ items)
  • temporary_assigns for data not needed after render
  • AsyncResult patterns for loading states

Components

  • Function components preferred over LiveComponents
  • LiveComponents preserve :inner_block in update/2
  • Slots use proper attr declarations
  • phx-debounce on text inputs

Valid Patterns (Do NOT Flag)

  • Empty mount returning {:ok, socket} - Valid for simple LiveViews
  • Using assigns for small lists - Streams only needed for 100+ items
  • LiveComponent without update/2 - Default update/2 assigns all
  • phx-click without phx-value - Event may not need data
  • Inline function in heex - Valid for simple transforms

Context-Sensitive Rules

Issue Flag ONLY IF
Missing debounce Input is text/textarea AND triggers server event
Use streams Collection has 100+ items OR is paginated
Missing auth check Event modifies data AND no auth in mount

Critical Anti-Patterns

Socket Copying (MOST IMPORTANT)

# BAD - socket copied into async function
def handle_event("load", _, socket) do
  Task.async(fn ->
    user = socket.assigns.user  # Socket copied!
    fetch_data(user.id)
  end)
  {:noreply, socket}
end

# GOOD - extract values first
def handle_event("load", _, socket) do
  user_id = socket.assigns.user.id
  Task.async(fn ->
    fetch_data(user_id)  # Only primitive copied
  end)
  {:noreply, socket}
end

Missing Authorization

# BAD - trusts phx-value without auth
def handle_event("delete", %{"id" => id}, socket) do
  Posts.delete_post!(id)  # Anyone can delete any post!
  {:noreply, socket}
end

# GOOD - verify authorization
def handle_event("delete", %{"id" => id}, socket) do
  post = Posts.get_post!(id)

  if post.user_id == socket.assigns.current_user.id do
    Posts.delete_post!(post)
    {:noreply, stream_delete(socket, :posts, post)}
  else
    {:noreply, put_flash(socket, :error, "Unauthorized")}
  end
end

Hard gates (sequence)

Advance only when each pass condition is objectively true (prevents reporting without evidence):

Gate Pass condition
G1 — Files in evidence You have an explicit list of paths under review (e.g. *.ex, *.heex, or the paths the user named). Every finding names a file from that list.
G2 — Verification protocol You loaded review-verification-protocol and applied its Pre-Report Verification (and issue-type sections where relevant) before treating something as a finding.
G3 — Line anchors Each finding uses [FILE:LINE] where that line exists in the current file (confirmed by read/grep output, not inferred).
G4 — Valid-pattern screen You checked the finding against Valid Patterns (Do NOT Flag) and Context-Sensitive Rules; if it matches a “do not flag” case or fails a “Flag ONLY IF,” you do not report it.

Issue format

Use [FILE:LINE] ISSUE_TITLE for each finding.

Usage Guidance
This instruction-only skill appears to be a legitimate LiveView review checklist and carries low technical risk (no installs or secrets). However: (1) the SKILL.md requires loading a separate 'review-verification-protocol' file that is not included — ask the publisher where that document lives or whether it will be provided at runtime; (2) the hard gating (file lists and [FILE:LINE] anchors) means the skill expects explicit repository/file access — ensure you only invoke it on the files you intend to review; (3) because the skill runs as an agent instruction, confirm who/what will provide the files (you or the agent) and that the agent won't be granted access to unrelated repositories or workspace files. If the missing verification doc is supplied and you provide a limited set of files to review, the skill is coherent; if not, treat the gating and missing reference as a red flag and request the missing artifact or a clarifying update from the owner before installing.
Capability Assessment
Purpose & Capability
Name/description (LiveView code review) aligns with the provided checklist and reference docs. No binaries, env vars, or installs are requested — appropriate for an instruction-only review skill.
Instruction Scope
SKILL.md expects the agent to operate on explicit file lists and to follow four hard gates. Gate G2 requires loading ../review-verification-protocol/SKILL.md (Pre-Report Verification) before reporting, but that file is not present in the skill manifest. The gates also mandate reading files and using exact [FILE:LINE] anchors — reasonable for code review but these requirements may be unsatisfiable or cause the agent to look elsewhere for missing docs.
Install Mechanism
No install spec and no code files beyond reference docs. Instruction-only format has low installation risk (nothing written to disk by the skill itself).
Credentials
No environment variables, credentials, or config paths are requested and the instructions do not reference any secret/environment variables. Proportional to the stated purpose.
Persistence & Privilege
always:false and normal agent invocation settings. The skill does not request persistent system presence or modify other skills' configs. Note: autonomous invocation is platform-default but not combined here with broad privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install liveview-code-review
  3. After installation, invoke the skill by name or use /liveview-code-review
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.1
- Added a "Hard gates (sequence)" section defining strict preconditions for reporting findings. - Specified objective "pass conditions" for each gate, such as file evidence, protocol verification, line anchors, and valid pattern screening. - Moved the issue format into a dedicated section at the end for clarity.
v1.2.0
- Revamped SKILL.md with clear quick references for lifecycle, assigns/streams, components, and security review. - Added concise review checklist covering critical issues, lifecycle, data management, and component best practices. - Provided explicit examples of valid patterns (to avoid false positives). - Updated context-sensitive rules and anti-patterns (emphasizing socket copying and authorization checks). - Introduced a standardized format for submitting findings and referenced the review verification protocol.
Metadata
Slug liveview-code-review
Version 1.2.1
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is Liveview Code Review?

Reviews Phoenix LiveView code for lifecycle patterns, assigns/streams usage, components, and security. Use when reviewing LiveView modules, .heex templates,... It is an AI Agent Skill for Claude Code / OpenClaw, with 175 downloads so far.

How do I install Liveview Code Review?

Run "/install liveview-code-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Liveview Code Review free?

Yes, Liveview Code Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Liveview Code Review support?

Liveview Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Liveview Code Review?

It is built and maintained by Kevin Anderson (@anderskev); the current version is v1.2.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments