← Back to Skills Marketplace
hirofumiko

Code Review Automation

by HiroFumiko · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
256
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install code-review-automation
Description
Automated code review for GitHub pull requests using Claude LLM. PR analysis, security scanning, and style checking.
README (SKILL.md)

🔍 Code Review Automation

Automated code review for GitHub pull requests using Claude LLM

Automatically analyze GitHub pull requests, provide intelligent code reviews, security scanning, and style checking using Claude AI.

✨ Features

  • PR Listing - View all pull requests in a repository
  • PR Details - Get comprehensive information about any PR
  • File Changes - See exactly what files changed
  • PR Search - Search PRs by keyword
  • Repository Info - Get general repository statistics
  • Claude Analysis - AI-powered code review using Claude LLM
  • Code Quality Scoring - Automated quality assessment (0-100)
  • Security Scanning - Automated security vulnerability detection
  • Style Checking - Automated style and linting checks
  • Full Review - Complete review with all checks
  • Configurable - Custom rules via .reviewrc

🚀 Quick Start

1. Install Dependencies

uv pip install PyGithub anthropic rich typer python-dotenv

2. Setup GitHub API Token

Get your GitHub Personal Access Token:

  1. Go to GitHub Settings → Developer settings → Personal access tokens
  2. Generate a new token with repo scope
  3. Create .env file:
GITHUB_TOKEN=your_github_pat_here

3. Review Pull Requests

# List open PRs
code-review list-prs owner/repo

# Show PR details
code-review pr-info owner/repo 123

# Show files changed
code-review pr-files owner/repo 123

# Analyze PR with Claude AI
code-review review-pr owner/repo 123

📋 Commands

list-prs

List pull requests from a repository.

code-review list-prs owner/repo

Options:

  • --state: PR state (open, closed, all) - default: open
  • --limit: Maximum PRs to show - default: 10

pr-info

Show detailed information about a specific PR.

code-review pr-info owner/repo 123

Shows:

  • Title and description
  • Author and timestamps
  • File change statistics
  • Labels and merge status

pr-files

Show files changed in a PR.

code-review pr-files owner/repo 123

Shows:

  • Changed files
  • Status (added, modified, deleted)
  • Additions and deletions per file

search-prs

Search pull requests by keyword.

code-review search-prs owner/repo --query "bug"

Options:

  • --query: Search keyword (required)
  • --state: PR state (open, closed, all) - default: open
  • --limit: Maximum PRs to show - default: 10

repo-info

Show general repository information.

code-review repo-info owner/repo

Shows:

  • Repository name and description
  • Programming language
  • Stars and forks count
  • Open issues and PRs
  • Creation and update dates

review-pr

Analyze a pull request using Claude AI.

code-review review-pr owner/repo 123

Shows:

  • AI-powered code review
  • Code quality score (0-100)
  • Security considerations
  • Best practices
  • Specific recommendations

Requires:

  • GITHUB_TOKEN in .env
  • ANTHROPIC_API_KEY in .env

security-scan

Scan a pull request for security vulnerabilities.

code-review security-scan owner/repo 123

Detects:

  • Exposed secrets (API keys, tokens, passwords)
  • SQL injection vulnerabilities
  • Command injection vulnerabilities
  • Hardcoded credentials
  • Weak cryptography (MD5, SHA1, RC4, DES)
  • Unsafe deserialization (pickle)

Options:

  • --config: Configuration file path

style-check

Check a pull request for style and linting issues.

code-review style-check owner/repo 123

Checks:

  • Line length violations
  • Naming convention violations
  • Import order
  • Blank lines
  • Whitespace issues
  • Missing docstrings

Options:

  • --config: Configuration file path

full-review

Run full code review (LLM + Security + Style) on a pull request.

code-review full-review owner/repo 123

Combines:

  • LLM analysis (code quality score)
  • Security scanning
  • Style checking

Options:

  • --config: Configuration file path
  • --skip-llm: Skip LLM analysis
  • --skip-security: Skip security scan
  • --skip-style: Skip style check

config-init

Initialize a default configuration file.

code-review config-init --output .reviewrc

Creates a .reviewrc file with customizable settings for:

  • Security scanning rules
  • Style checking rules
  • LLM analysis settings

🔧 Technical Details

GitHub API Integration

  • Uses PyGithub library
  • Authenticates with Personal Access Token
  • Rate limit handled automatically

LLM Integration

  • Claude API for code analysis
  • Intelligent code review comments
  • Context-aware suggestions
  • Code quality scoring

Security Scanning

  • Static analysis for common vulnerabilities
  • Pattern-based detection
  • Severity-based categorization
  • Configurable rules

Style Checking

  • PEP8 compliance checks
  • Naming convention validation
  • Line length enforcement
  • Import order verification
  • Whitespace checks

Configuration

  • YAML/JSON config files
  • Project-specific settings
  • Customizable thresholds
  • .reviewrc support

📊 Examples

# Run full review
code-review full-review facebook/react 34567

# Security scan only
code-review security-scan owner/repo 123

# Style check only
code-review style-check owner/repo 123

# AI analysis only
code-review review-pr owner/repo 123

# List all closed PRs
code-review list-prs owner/repo --state closed --limit 20

# Initialize config
code-review config-init

🔐 Security

  • GitHub PAT stored in .env file (never committed)
  • No secrets logged or displayed
  • IP whitelist recommended

🚧 Roadmap

v0.2.0 - Claude Integration (Completed)

  • Claude API integration
  • Automated PR analysis
  • Intelligent review comments
  • Code quality scoring

v0.3.0 - Security & Style (Current)

  • Security vulnerability scanning
  • Style and linting checks
  • Automated fix suggestions
  • Configuration file support
  • Full review command

v1.0.0 (Planned)

  • Multi-platform support (GitLab, Bitbucket)
  • CI/CD integration
  • Team collaboration features
  • Review dashboard

📄 License

MIT

🙋 Support

For issues or questions:

  • Check the documentation
  • Open an issue on GitHub
Usage Guidance
Key things to consider before installing or running: - Metadata mismatch: The registry lists no required environment variables, but SKILL.md and the code require GITHUB_TOKEN and ANTHROPIC_API_KEY. Ask the publisher to correct the registry metadata before trusting automatic installs. - Secrets: This tool will read a .env file and environment variables; do NOT use long-lived or organization-wide GitHub tokens. Create a least-privilege PAT (limit to the minimum repo access) or a repo-scoped token, and prefer revocable/ephemeral credentials. Treat the Anthropic key similarly. - Data exfiltration surface: The tool will send PR diffs / source code to Anthropic (Claude). If your repository contains sensitive code or secrets, be aware you are transmitting that content to an external LLM provider. - Config discovery: ConfigManager searches up to 10 parent directories for .reviewrc / review config files — run the tool from a safe, repository-root directory so it doesn't accidentally read unrelated config files or secrets in parent directories. - Run in an isolated environment: Install dependencies in a virtualenv or container. The SKILL.md uses 'uv', which is nonstandard; verify what 'uv' is and prefer a standard pip/venv workflow. - Review code locally: You have the code bundle — inspect or run tests locally. The included modules (github_client, claude_client, security_scanner) implement the described behavior; no obvious obfuscated exfil endpoints were found in the provided excerpts, but review the remaining truncated files for any unexpected network requests or hardcoded endpoints before use. - Limit logging & outputs: Do not log tokens; prefer environment variables over committing .env; check logger configuration to avoid writing sensitive content to disk or remote services. - If you need LLM-based analysis but cannot expose source, consider running the tool with --skip-llm or running security/style checks only, or use a local/approved LLM endpoint. If you want, I can: (1) scan the remaining truncated files for network calls or suspicious code patterns, (2) extract exact code locations where data is sent to Anthropic/GitHub so you can review the payloads, or (3) produce a minimal threat checklist you can follow before granting credentials.
Capability Analysis
Type: OpenClaw Skill Name: code-review-automation Version: 1.0.2 The code-review-automation bundle is a legitimate tool designed to automate GitHub pull request analysis using the Claude LLM. It features a comprehensive CLI (cli.py), a regex-based security scanner (security_scanner.py) for detecting secrets and common vulnerabilities, and a style checker (style_checker.py). The implementation follows standard security practices, such as using environment variables for API keys and safe YAML loading. The bundle is well-documented, includes an extensive test suite (tests/), and shows no signs of malicious intent, data exfiltration, or unauthorized execution.
Capability Assessment
Purpose & Capability
The SKILL.md and included Python code clearly implement GitHub and Anthropic (Claude) integrations and require GITHUB_TOKEN and ANTHROPIC_API_KEY, but the registry metadata declares no required environment variables or credentials and states 'instruction-only'. The package contains many code files (Py modules, CLI, clients, scanners) rather than being a pure instruction-only skill — this mismatch is an incoherence you should question.
Instruction Scope
Runtime instructions and the code will read a .env file and environment variables (GITHUB_TOKEN, ANTHROPIC_API_KEY) and will fetch PR diffs and send diff content to Anthropic (external LLM) for analysis. The ConfigManager auto-discovers config files by searching up to 10 parent directories, which increases filesystem exposure. The behavior (transmitting repository code to an external API, reading config files outside the current repo) is consistent with the tool's purpose but is sensitive and wider-scoped than the registry metadata indicates.
Install Mechanism
There is no install spec in the registry (low-risk), but SKILL.md instructs users to pip-install dependencies (PyGithub, anthropic, rich, typer, python-dotenv). That is typical but the SKILL.md also uses the 'uv' wrapper in examples (e.g., 'uv pip install', 'uv run'), which is unusual and may require an additional tool. No downloads from arbitrary URLs or extract steps were found in the provided files.
Credentials
The skill legitimately needs a GitHub PAT and an Anthropic API key for full functionality, and the code reads those from a .env in the skill directory. However, the registry metadata omitted these required env vars (incoherent). The tool's config discovery (searching parent directories) and any logging that writes to disk increase the chance of exposing other local secrets if misconfigured. The number and type of secrets requested (GITHUB_TOKEN, ANTHROPIC_API_KEY) are proportionate to the claimed functionality, but the omission from metadata is a red flag.
Persistence & Privilege
The skill does not request always: true and does not modify other skills. It can read and write configuration (.reviewrc) in the current directory and will auto-discover config files across parent directories (up to 10 levels). That behavior is plausible for a CLI tool but expands filesystem reach and should be considered when running in sensitive directories.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install code-review-automation
  3. After installation, invoke the skill by name or use /code-review-automation
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added comprehensive SKILL.md documentation describing all features, commands, technical details, examples, and roadmap for Code Review Automation. - Clarified purpose: Automated code reviews for GitHub pull requests using Claude LLM. - Outlined usage instructions, including installation, setup, and command-line interface. - Provided details on security practices, configuration, and support resources.
Metadata
Slug code-review-automation
Version 1.0.2
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Code Review Automation?

Automated code review for GitHub pull requests using Claude LLM. PR analysis, security scanning, and style checking. It is an AI Agent Skill for Claude Code / OpenClaw, with 256 downloads so far.

How do I install Code Review Automation?

Run "/install code-review-automation" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Code Review Automation free?

Yes, Code Review Automation is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Code Review Automation support?

Code Review Automation is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Code Review Automation?

It is built and maintained by HiroFumiko (@hirofumiko); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments