← Back to Skills Marketplace
zhijialin

Br Risk Analyzer

by ZhiJialin · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
94
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install br-risk-analyzer
Description
根据需求文档分析风险,分析代码漏洞。analyzes code changes between commits against requirement documents to identify and prioritize risk points.
README (SKILL.md)

BR Risk Analyzer Skill

Overview

This skill analyzes code changes between commits against requirement documents to identify and prioritize risk points following the established code review protocol.

Workflow Implementation

Step 1: Input Digestion

  • Extract from requirements: functional goals, non-functional requirements (performance/security), boundary conditions, prohibited behaviors, dependent systems
  • Identify key terms as search keywords: entities, state machines, configuration items, message topics, external interfaces

Step 2: Code Scope Definition

  • Use semantic search/grep/glob to locate: entry points (Controllers/timers/consumers), core Services, persistence layers, message handling, configuration reading
  • Map data flow (who writes/reads: DB/Redis/MQ/files) and control flow (sync/async/retry patterns)

Step 3: Requirement-Driven Code Review

For each requirement aspect, verify against code:

Verification Dimension Key Questions
Correctness Branch coverage, safe defaults, enum/state consistency
Boundaries Null handling, large datasets, timeouts, duplicate submissions, idempotency
Concurrency Locking, transaction boundaries, visibility, race conditions
Failure Paths Exception swallowing, rollback capability, retry logic, partial failure handling
Configuration & Switches Behavior when config missing, dangerous switch combinations
Security Authorization, privilege escalation, injection vulnerabilities, sensitive data logging
Dependencies External call failures, degradation strategies, circuit breaking, timeouts
Compatibility Legacy data handling, old API support, grayscale deployment and rollback

Step 4: Risk Classification & Output

Follow strict priority grading:

P0 (Must Fix):

  • Financial/data errors, security vulnerabilities, widespread outages, irreversible data corruption

P1 (Fix This Iteration):

  • Functionality errors under specific conditions, severe performance degradation, monitoring blind spots amplifying failures

P2/P3 (Optional):

  • Maintainability issues, edge case UX problems, low-probability exceptions, style/comment improvements

Step 5: Knowledge Persistence

  • Store analysis results and project understanding in resources/project-understanding.md
  • Update accumulated knowledge for future risk assessments
  • Maintain historical context of requirement interpretations and codebase evolution

Usage Protocol

Input Requirements

Provide in single message:

  1. Requirement/Design Document Summary (or PRD highlights, change notes, interface contracts)
  2. Scope (repository paths, modules, branches, related issue/ticket numbers)
  3. Expected Output (risk list only / risks + test cases / with priority and fix recommendations)

Execution Guarantees

  • Requirement-first approach: Use requirements to drive code examination, not random file scanning
  • Evidence-based: Each risk includes file path + class/method + behavior description; mark speculation as "needs confirmation"
  • Layered risk analysis: Interface contracts, concurrency/consistency, exception handling, configuration/data, security/compliance, performance/resources, observability, compatibility/rollback
  • Requirement alignment: Explicitly categorize as "covered by requirements" / "not mentioned in requirements but potential issue" / "outside current scope"

Output Template

Results follow this mandatory structure:

## Review Summary
- Requirement highlights: (1-3 sentences)
- Code scope: (module/path list)
- Overview: P0 x items / P1 x items / P2 x items / P3 x items

## Risk Inventory

### P0 (Must Address)
| ID | Risk Description | Location (file:class/method) | Trigger Conditions/Impact | Recommendation (optional) |
|----|------------------|------------------------------|---------------------------|---------------------------|
| R1 | ... | ... | ... | ... |

### P1 (Recommend Fix This Iteration)
| ID | Risk Description | Location | Trigger Conditions/Impact | Recommendation |
|----|------------------|----------|---------------------------|----------------|
| ... | ... | ... | ... | ... |

### P2 / P3 (Discretionary)
- ...

## Requirement Coverage Assessment
- Covered: ...
- Not explicitly covered in requirements but present in code: ...
- Out of scope for this review: ...

## Testing Recommendations (Optional)
| Risk ID | Test Type | Scenario | Expected |
|---------|-----------|----------|----------|
| R1 | Integration | ... | ... |

The results is saved in {requirements name}-risk-analyzer.md

Quick Checklist Integration

During review, systematically verify:

  • All entry points have proper authorization/parameter validation (when required)?
  • Database writes and message sending order prevent inconsistency? Need transactions or compensation?
  • Async thread pools / MQ consumption failures cause data loss or duplication?
  • Behavior is defined when config is empty, parsing fails, or dependent services timeout?
  • Logs contain sensitive data (keys, IDs, full request bodies)?
  • Large files/batches could cause OOM or thread pool exhaustion?
  • State machine transitions handle illegal states properly?
  • Core branches have unit/contract tests?

Testing Guidance

  • P0/P1 risks: Provide specific test scenarios with preconditions, key steps, expected results
  • Test classification: Indicate suitability for unit tests / integration tests / manual regression
  • Testing complements but doesn't replace code review: Test suggestions validate high-risk findings, not substitute logical analysis
Usage Guidance
This skill is coherent for requirement-driven code review, but review the following before enabling it: 1) Limit the code scope you provide—run it against a clone or a restricted-to-review branch so it cannot access unrelated files. 2) Be aware it will write analysis to resources/project-understanding.md; make sure that file location is acceptable (or change it to a sandbox). 3) Do not grant the agent elevated system or external network permissions you wouldn't grant a human reviewer. 4) If you want to avoid any write operations, run the skill in a read-only environment or require manual approval before saving outputs. Overall this skill appears to do what it claims and does not request disproportionate access.
Capability Analysis
Type: OpenClaw Skill Name: br-risk-analyzer Version: 1.0.0 The skill is designed to perform automated code reviews and risk analysis, which requires high-risk capabilities such as searching, reading, and writing to the local filesystem as defined in SKILL.md. While its behavior is aligned with the stated purpose, it exhibits several vulnerabilities: it contains hardcoded absolute Windows file paths (e.g., 'D:\code\dts\dts\codeReview.md' in README.md) and a potential path traversal vulnerability in the dynamic output filename '{requirements name}-risk-analyzer.md' specified in SKILL.md. No evidence of intentional malice, data exfiltration, or unauthorized network activity was found.
Capability Assessment
Purpose & Capability
Name/description (requirement-driven risk analysis) aligns with the instructions: locate code by semantic search, compare to requirements, classify risks, and persist findings. Nothing requested (no env vars, no installs) is out of scope for a code-review skill.
Instruction Scope
SKILL.md explicitly instructs the agent to read repository files, perform semantic search/grep, map data/control flow, and produce evidence-linked findings. This is appropriate for the stated purpose, but the instructions do not explicitly constrain scope beyond user-provided 'Scope' inputs (e.g., they could read any files in repo). The skill also instructs writing analysis to resources/project-understanding.md in the repository.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute; lowest install risk. package.json and docs are present but there is no installer or downloadable artifact.
Credentials
No environment variables, credentials, or config paths are requested. The declared needs (repository access and requirement documents) are proportionate to the stated task.
Persistence & Privilege
The skill persists analysis to resources/project-understanding.md (documented). It does not force permanent inclusion (always: false). Because it writes into the project, users should be aware it can modify repository files when invoked.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install br-risk-analyzer
  3. After installation, invoke the skill by name or use /br-risk-analyzer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of br-risk-analyzer skill - Analyzes code changes between commits against requirement documents to identify and prioritize risks. - Provides a structured, requirement-driven code review protocol covering correctness, boundaries, concurrency, failure paths, config, security, dependencies, and compatibility. - Delivers risks categorized by priority (P0–P3) with paths, locations, behaviors, and recommendations. - Persists analysis results and understanding for future use, maintaining historical project context. - Offers mandatory markdown output template and checklist integration for systematic coverage. - Supports test scenario suggestions for identified risks.
Metadata
Slug br-risk-analyzer
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Br Risk Analyzer?

根据需求文档分析风险,分析代码漏洞。analyzes code changes between commits against requirement documents to identify and prioritize risk points. It is an AI Agent Skill for Claude Code / OpenClaw, with 94 downloads so far.

How do I install Br Risk Analyzer?

Run "/install br-risk-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Br Risk Analyzer free?

Yes, Br Risk Analyzer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Br Risk Analyzer support?

Br Risk Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Br Risk Analyzer?

It is built and maintained by ZhiJialin (@zhijialin); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments