Description

Thorough code review with focus on security, performance, and best practices for Go projects. Includes Go test coverage analysis (line/function/branch covera...

README (SKILL.md)

Code Reviewer

Name: code-reviewer
Author: jjjypink1211

You are an expert Go code reviewer who identifies security vulnerabilities, performance issues, code quality problems, and analyzes test coverage for Go projects.

When to Apply

Use this skill when:

Reviewing Go code pull requests
Performing security audits on Go applications
Checking code quality for Go projects
Identifying performance bottlenecks in Go code
Ensuring Go best practices compliance
Pre-deployment code review for Go services
Analyzing Go test coverage and reporting gaps

How to Use This Skill

This skill contains detailed rules in the rules/ directory, organized by category and priority, tailored for Go language.

Quick Start

Review AGENTS.md for a complete compilation of all rules with examples
Reference specific rules from rules/ directory for deep dives
Follow priority order: Security → Performance → Correctness → Maintainability

Available Rules

Security (CRITICAL)

Performance (HIGH)

Avoid N+1 Query Problem

Correctness (HIGH)

Proper Error Handling

Maintainability (MEDIUM)

**Team-Effectiveness **

团队效能指标

Review Process

1. Security First (CRITICAL)

Look for Go-specific vulnerabilities that could lead to data breaches or unauthorized access:

SQL injection (string concatenation in database/sql queries)
XSS (Cross-Site Scripting) (unsafe HTML rendering with fmt.Fprintf)
Authentication/authorization bypasses (missing middleware in net/http handlers)
Hardcoded secrets (API keys/passwords in Go source code)
Insecure dependencies (outdated modules with known vulnerabilities)
Unsanitized input in HTTP request handlers

2. Performance (HIGH)

Identify Go code that will cause slow performance at scale:

N+1 database queries (loop-based SQL calls in Go)
Missing indexes (unoptimized SQL queries in Go services)
Inefficient algorithms (O(n²) operations on large slices)
Memory leaks (unclosed resources: file handles, database connections)
Unnecessary API calls (redundant HTTP requests in goroutines)
Excessive memory allocations (avoidable fmt.Sprintf in hot paths)

3. Correctness (HIGH)

Find bugs and edge cases in Go code:

Error handling gaps (ignored errors with _)
Race conditions (unsafe concurrent access to shared state)
Off-by-one errors (slice index issues)
Nil pointer dereferences (missing nil checks)
Input validation (lack of sanitization for HTTP request data)
Improper use of context (missing context cancellation)

4. Maintainability (MEDIUM)

Improve long-term health of Go code:

Clear naming (Go idiomatic variable/function names)
Type safety (avoidance of empty interface{})
DRY principle (reusable functions/packages in Go)
Single responsibility (small, focused functions/methods)
Documentation (godoc-compatible comments)
Consistent error wrapping (fmt.Errorf with %w)

5. Testing & Coverage

Verify adequate test coverage for Go code:

Unit tests for new Go functions/methods
Edge case testing (error paths, boundary values)
Error path testing (testing expected errors)
Integration tests for HTTP handlers/database interactions
Test coverage analysis (line/function/branch coverage from coverage.out)
Identification of untested core business logic

6. team-effectiveness-metrics

统计周期： 每周一 00:00 至周日 23:59
对比基准： 上周同期数据
数据范围： 本周内的所有代码提交与评审活动

科学量化团队效能，持续改进工程实践。以下指标帮助识别团队瓶颈、优化资源配置、提升代码质量。

Review Output Format

Structure your reviews as:

This function retrieves user data but has critical security and reliability issues for Go implementation.

## Critical Issues 🔴

1. **SQL Injection Vulnerability** (Line 2)
   - **Problem:** User input directly interpolated into SQL query with fmt.Sprintf
   - **Impact:** Attackers can execute arbitrary SQL commands
   - **Fix:** Use parameterized queries in Go database/sql
   ```go
   query := "SELECT * FROM users WHERE id = ?"
   row := db.QueryRow(query, userID)

High Priority 🟠

No Error Handling (Line 3-4)

Problem: Assumes database query always returns data, no nil check
Impact: Panic from nil pointer dereference if user doesn't exist
Fix: Proper error handling with wrapping in Go

  var u User
 if err := row.Scan(&u.ID, &u.Name); err != nil {
 	if err == sql.ErrNoRows {
 		return nil, fmt.Errorf("user %s not found", userID)
 	}
 	return nil, fmt.Errorf("query user: %w", err)
 }

Missing Type Hints (Line 1)
- Problem: No explicit type annotations for parameters/return values
- Impact: Reduces code clarity and IDE support for Go
- Fix: Add Go type declarations
```
   func getUser(userID string) (*User, error) {
```

**Low Test Coverage (Function Level)

Problem: Function has 0% line coverage
Impact: Untested code may contain undiscovered bugs
Fix: Add table-driven tests for normal/error cases

    func TestGetUser(t *testing.T) {
 		tests := []struct {
 			name    string
 			userID  string
 			wantErr bool
 		}{
 			{"valid user", "123", false},
 			{"invalid user", "999", true},
 		}
 		for _, tt := range tests {
 			t.Run(tt.name, func(t *testing.T) {
 				_, err := getUser(tt.userID)
 				if (err != nil) != tt.wantErr {
 					t.Errorf("getUser() error = %v, wantErr %v", err, tt.wantErr)
 				}
 			})
 		}
 	}

Recommendations

Add context.Context to function for timeout/cancellation support
Use go-playground/validator for input validation in HTTP handlers
Consider using sqlx for safer SQL operations in Go
Increase test coverage for dao/ package to minimum 80%
Add error logging with zap/logrus for production debugging

Usage Guidance

This skill appears to be a legitimate Go code-review guideline set and will attempt to analyze test coverage by running 'go test' and parsing coverage.out/test-report.json. Before installing or invoking it: 1) Confirm whether you (or the agent) will need to provide API tokens for PR statistics — the docs reference a Bearer token but the skill doesn't declare any required env variables. Never paste repository or CI tokens into a tool unless you trust it and understand what calls it will make. 2) Expect the agent to run go test in the repository; run it in a sandbox or CI environment if you are concerned about side effects. 3) Review the included files yourself (they contain contributor names, Windows local paths, and multi-language examples) to ensure no surprising network calls or data exfiltration steps are hidden. 4) Ask the skill author/owner to clarify: a) whether the agent will autonomously call external PR APIs and which endpoints; b) how it requests credentials (prompt vs env var); and c) to remove or flag non-Go examples if you want Go-only guidance. If you cannot verify those, treat the skill as potentially able to make network requests and do not supply sensitive tokens.

Capability Analysis

Type: OpenClaw Skill Name: jinyun1 Version: 1.0.0 The skill bundle primarily provides legitimate Go code review rules, but contains highly irregular instructions in 'rules/team-effectiveness-metrics.md'. This file includes hardcoded local Windows file paths (e.g., 'C:\yanfayun\gpc-srv') and explicit instructions for the AI agent to fetch data from an external URL (srdcloud.cn). Such specific environmental targeting and external data fetching instructions are atypical for a generic skill and pose a risk of unauthorized local resource access or data exfiltration.

Capability Assessment

ℹ Purpose & Capability

The name/description (Go code review + coverage analysis) matches the content: many Go-focused rules and an explicit go test command for coverage. Minor inconsistency: several rule files contain Python/JavaScript examples and guidance (e.g., error-handling in Python, N+1 examples in Django/Sequelize). Those are plausible as cross-language guidance but slightly out-of-scope for a Go-only skill and should be noted.

⚠ Instruction Scope

SKILL.md and rules/testing-coverage.md explicitly instruct the agent to run the go test command and parse coverage.out and test-report.json — appropriate for coverage analysis. However the repo also documents a PR stats API that requires a Bearer token (and gives endpoints/examples), and a team-effectiveness file contains absolute local repo paths and named contributors. The skill does not declare or require env vars for API tokens, yet its docs assume the ability to call external PR APIs — this is a scope/expectation mismatch. Confirm whether the agent will (a) make network calls to project APIs, and (b) request or require tokens from the user before doing so.

✓ Install Mechanism

Instruction-only skill with no install steps, no downloaded code or binaries. This is low-risk from an install/remote-code perspective.

⚠ Credentials

The skill declares no required env vars or credentials, which is consistent with being instruction-only. But documentation within the files describes calling PR stats endpoints that require a Bearer token and shows API usage requiring an access token; the skill does not declare this as a required credential. If the agent will call project APIs, requesting tokens at runtime or expecting tokens in env vars is plausible but currently undocumented — verify how auth will be provided before granting tokens. Also the presence of absolute local paths (C:\yanfayun\...) in team metrics leaks repository locations from the author environment — not a credential, but a privacy/scope concern.

✓ Persistence & Privilege

always is false and there is no install script or code that would persist state. The skill does not request system-wide config changes or permanent presence.

Version History

v1.0.0

- Initial release of "code-reviewer" skill for Go projects, focusing on security, performance, and best practices. - Supports thorough analysis of Go code including test coverage (line/function/branch). - Outlines a clear review process prioritizing security, followed by performance, correctness, maintainability, and testing. - Provides structured review output templates with actionable examples and recommendations. - Includes team effectiveness metrics for weekly code review and commit activity analysis.

Metadata

Slug jinyun1

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is code-reviewer?

Thorough code review with focus on security, performance, and best practices for Go projects. Includes Go test coverage analysis (line/function/branch covera... It is an AI Agent Skill for Claude Code / OpenClaw, with 110 downloads so far.

How do I install code-reviewer?

Run "/install jinyun1" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is code-reviewer free?

Yes, code-reviewer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does code-reviewer support?

code-reviewer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created code-reviewer?

It is built and maintained by jjjypink1211 (@jjjypink1211); the current version is v1.0.0.

More Skills

code-reviewer