← Back to Skills Marketplace
611
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install sovereign-code-review-helper
Description
Generates file-type-specific code review checklists covering security, performance, style, and testing best practices for pull requests.
Usage Guidance
This skill appears to do what it claims (scan git diffs and emit review checklists), but a substantial executable script is bundled and the registry/source provenance is unclear. Before installing or running: (1) Inspect the full scripts/review.sh file for any network calls (curl, wget, nc, openssl to unknown hosts), hardcoded endpoints, or obfuscated/encoded payloads; (2) Confirm the homepage/repository links in skill.json point to a legitimate project and check the repository history; (3) Run it first in a disposable environment or container and without network access if you want to limit risk; (4) If you plan to use the --pr option, be aware it may fetch remote refs and perform network operations — verify what it fetches; (5) If you are not comfortable reviewing the full script, treat this skill as untrusted and avoid running it on sensitive repositories. Additional information that would raise confidence: an authoritative repository/maintainer, signed releases, or a short human-readable changelog explaining the script's behavior.
Capability Analysis
Type: OpenClaw Skill
Name: sovereign-code-review-helper
Version: 1.0.0
The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/review.sh`. The `--files` argument, which accepts a glob pattern, is directly used in `grep -E "$FILE_PATTERN"` without proper sanitization. This allows an attacker to inject arbitrary shell commands by crafting a malicious `FILE_PATTERN` value, leading to potential Remote Code Execution (RCE).
Capability Assessment
Purpose & Capability
Name/description (code review checklists) align with the provided components: SKILL.md describes git/diff-based analysis and the package includes a review.sh entrypoint. Required tools (git, bash, standard Unix utilities) are appropriate for the stated purpose. Minor metadata inconsistency: registry summary showed no homepage/source, but skill.json contains homepage and repository URLs — that mismatch is worth checking.
Instruction Scope
SKILL.md and review.sh focus on scanning git diffs, generating templates and searching for patterns (security/performance/style). That scope is appropriate. The documentation and options also mention fetching PR diffs from remote (--pr), which implies network/git remote operations; this is reasonable but you should confirm the script doesn't transmit findings to remote third-party endpoints.
Install Mechanism
No install spec (instruction-only skill) and steps are limited to copying files into ~/.openclaw/skills and making the script executable. This is standard and low risk compared to remote downloads or package installs.
Credentials
No required environment variables or credentials are declared. SKILL.md documents optional CRH_* env vars for configuration, which are reasonable and local-only. There are no unexplained secret/token requirements.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. Installation writes to the user's ~/.openclaw/skills directory (normal for a skill). Because the package contains an executable script, consider that it will run arbitrary commands when invoked; this is expected functionally but increases the need for inspection before use.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sovereign-code-review-helper - After installation, invoke the skill by name or use
/sovereign-code-review-helper - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Sovereign code-review-helper?
Generates file-type-specific code review checklists covering security, performance, style, and testing best practices for pull requests. It is an AI Agent Skill for Claude Code / OpenClaw, with 611 downloads so far.
How do I install Sovereign code-review-helper?
Run "/install sovereign-code-review-helper" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sovereign code-review-helper free?
Yes, Sovereign code-review-helper is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Sovereign code-review-helper support?
Sovereign code-review-helper is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sovereign code-review-helper?
It is built and maintained by ryudi84 (@ryudi84); the current version is v1.0.0.
More Skills