← Back to Skills Marketplace
Sonarqube Analyzer
by
Felipe Oliveira
· GitHub ↗
· v0.1.2
1439
Downloads
1
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install sonarqube-analyzer
Description
Analisa projetos SonarQube self-hosted, obtém issues filtradas, verifica Quality Gate e sugere soluções automatizadas com opção de auto-fix.
Usage Guidance
This skill appears to implement what it claims: a SonarQube analyzer that fetches issues and suggests fixes. Before installing or providing credentials, do the following: 1) Verify the skill's source (the README points to a GitHub repo — confirm you trust that repository and author). 2) Do not hand a high-privilege token to the skill without review; use a Sonar token with least privilege needed and avoid using 'admin'. 3) Be aware SKILL.md/README contain small inconsistencies (missing scripts referenced, a GitHub Actions flag not implemented, and a pkill command to reload OpenClaw). Prefer running it in an isolated/CI environment first to validate behavior. 4) Inspect or run the included code locally (it uses only the SonarQube API) and confirm it points to the intended SONAR_HOST_URL. 5) If you plan to let the agent invoke the skill autonomously, restrict the Sonar token's scope and monitor access logs. If you want, I can highlight the exact lines where environment defaults and the pkill instruction appear, or check the remote GitHub repo referenced in the manifest for provenance.
Capability Analysis
Package: SonarQube Analyzer (mcp)
Version: 1.0.0
Description: Analyze SonarQube issues and suggest intelligent solutions for code quality improvement
The SonarQube Analyzer package provides a CLI tool and OpenClaw plugin for interacting with a SonarQube server. It fetches code quality issues, analyzes them based on predefined rules, suggests solutions (categorizing them as auto-fixable or manual), and generates reports in JSON, Markdown, or CLI summary formats. It also supports checking Quality Gate status. The package uses environment variables (`SONAR_HOST_URL`, `SONAR_TOKEN`) for configuration, which is a standard practice for sensitive credentials. The code logic is straightforward, primarily involving HTTP requests to a user-configured SonarQube instance, data processing, and string generation for reports. There are no external runtime dependencies beyond Node.js built-in modules (like `fetch` in Node.js 18+). The only minor observation is the default `SONAR_TOKEN` value of 'admin' in `src/api.js` if the environment variable is not set, which is a weak default but is a configuration concern rather than a code vulnerability, and is mitigated by the expectation that users will provide a proper token for production use. The package's functionality aligns entirely with its stated purpose, and no malicious or suspicious code patterns were identified.
Capability Assessment
Purpose & Capability
The package implements a SonarQube API client, rule database, analyzer, and reporters that align with a SonarQube Analyzer skill. Required network access (SONAR_HOST_URL) and authentication (SONAR_TOKEN) are appropriate for the stated purpose. There is consistency between openclaw.plugin.json, package.json, and the source code regarding the tool names and capabilities.
Instruction Scope
SKILL.md instructs the agent to use SONAR_HOST_URL and SONAR_TOKEN and to run the included CLI. Most instructions are scoped to SonarQube. Notable issues: SKILL.md references scripts/report.js and scripts/quality-gate.js which are not present in the file manifest (the implementation exposes reporting and quality-gate behavior via src/reporter.js and scripts/analyze.js). The README suggests reloading OpenClaw with a pkill command (pkill -USR1 -f "openclaw gateway") — this is a system-level command that affects processes and should be run with care. A GitHub Actions example uses a --suggest-fixes flag not present in the CLI implementation. These are documentation mismatches rather than malicious behavior, but they could cause surprising outcomes if followed blindly.
Install Mechanism
There is no remote download/install specification in the registry; sources are bundled in the skill. The README suggests installing via npm (npm install -g @felipeoff/sonarqube-analyzer) or cloning the repo — both are standard. package.json declares no runtime dependencies and devDependencies are test/lint tools. No suspicious external URLs, shorteners, or archive extraction steps were observed in the package contents.
Credentials
The skill uses SONAR_HOST_URL and SONAR_TOKEN (documented in SKILL.md and present in openclaw.plugin.json config). Those credentials are proportionate to SonarQube access. One inconsistency: the registry's top-level 'requirements' lists no required env vars, but the skill actually expects a Sonar host and token. The code defaults SONAR_TOKEN to 'admin' and will omit Authorization header if the token equals the default 'admin' value — this is an odd default behavior and using a real token is recommended. Do not supply unrelated credentials; the skill does not request any other secrets.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated platform privileges. It does not modify other skills' configuration. The only potentially impactful instruction is the suggested pkill to reload OpenClaw, which affects a running process but is a user-level operation and not inherent to the skill's code.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sonarqube-analyzer - After installation, invoke the skill by name or use
/sonarqube-analyzer - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
- Atualização dos comandos de uso para utilizar `my-project` em vez de `openclaw-panel`, tornando o exemplo mais genérico.
- Exemplo de integração em GitHub Actions atualizado: agora inclui instalação via npm (`npm install -g @felipeoff/sonarqube-analyzer`) e invocação pelo comando global `sonarqube-analyzer`.
- Restante da documentação permanece inalterado, sem alterações em ferramentas, parâmetros ou exemplos de resposta.
v0.1.1
- Atualização apenas na documentação (README.md).
- Não houve mudanças em funcionalidades ou código-fonte.
- Documentação revisada para refletir o funcionamento e parâmetros atuais do skill.
v0.1.0
Initial release of SonarQube Analyzer Skill.
- Provides tools to fetch, analyze, and suggest solutions for issues in self-hosted SonarQube projects.
- Implements three main actions: issue retrieval (`sonar_get_issues`), automated suggestion generation (`sonar_analyze_and_suggest`), and quality gate verification (`sonar_quality_gate`).
- Supports filtering by severity and status, PR analysis, and optional auto-fix suggestions.
- Includes configuration details for SonarQube integration and examples for Node.js CLI usage.
- Outlines expected response structures and documents which SonarQube rules are eligible for automated fixes.
Metadata
Frequently Asked Questions
What is Sonarqube Analyzer?
Analisa projetos SonarQube self-hosted, obtém issues filtradas, verifica Quality Gate e sugere soluções automatizadas com opção de auto-fix. It is an AI Agent Skill for Claude Code / OpenClaw, with 1439 downloads so far.
How do I install Sonarqube Analyzer?
Run "/install sonarqube-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sonarqube Analyzer free?
Yes, Sonarqube Analyzer is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Sonarqube Analyzer support?
Sonarqube Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sonarqube Analyzer?
It is built and maintained by Felipe Oliveira (@felipeoff); the current version is v0.1.2.
More Skills