← 返回 Skills 市场
AI Code Review
作者
terrycarter1985
· GitHub ↗
· v1.1.0
· MIT-0
35
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install ai-code-review-service
功能描述
AI-powered service for pull request code reviews with optional voice note transcription, Discord alerts, and secure diff URL handling.
使用说明 (SKILL.md)
ai-code-review
AI-powered code review service with voice transcription, Discord notifications, and ClawHub integration.
Triggers
- "code review", "review code", "PR review"
- "transcribe voice note", "voice review"
- "publish skill", "skill publish"
Usage
Review a pull request
python src/code_review_service.py \x3Cpr_number> \x3Cdiff_url> [voice_note_path]
Environment variables
| Variable | Required | Description |
|---|---|---|
OPENAI_API_KEY |
Yes | OpenAI API key for Whisper transcription |
DISCORD_WEBHOOK_URL |
No | Discord webhook for review notifications |
VOICE_NOTE_BASE_DIR |
No | Base directory for voice note files (default: /tmp/voice_notes) |
ALLOW_INTERNAL_DIFF_URLS |
No | Set to allow internal-network diff URLs (security override) |
Security
- Diff URLs are validated against SSRF (scheme + hostname checks)
- Voice note paths are sandboxed to
VOICE_NOTE_BASE_DIR - Discord notification content is escaped to prevent injection
- All HTTP requests enforce a 30-second timeout
Changelog
1.1.0 (2026-05-07)
- Fixed SSRF vulnerability in diff URL fetching
- Fixed path traversal risk in voice note transcription
- Added Discord content escaping to prevent injection
- Added request timeouts (30s) to all HTTP calls
- Fixed
analyze_code_changesreturning hardcoded "approved" — now returns "pending_manual_review" - Added proper error handling for diff fetch and voice transcription
- Added structured logging throughout the service
- Improved
__main__with CLI arg parsing and error handling - Optimized health check script compatibility (works in chroot/container environments)
安全使用建议
Install only if you are comfortable reviewing and tightening the included source. Use restricted OpenAI and Discord credentials, run the service in a sandboxed environment, allow diff URLs only from trusted code hosts, verify the voice-note directory containment before uploading files, and do not run the healthcheck script with elevated privileges unless you explicitly want it to restart those host services.
功能分析
Type: OpenClaw Skill
Name: ai-code-review-service
Version: 1.1.0
The skill bundle provides a legitimate AI-powered code review service with voice transcription and Discord notifications. The code in `references/code_review_service.py` includes proactive security measures, such as SSRF validation for diff URLs, path traversal protection for audio files using a sandboxed directory, and content escaping to prevent Discord injection. The `scripts/healthcheck.sh` script performs standard system monitoring and service recovery without any signs of malicious intent or unauthorized data exfiltration.
能力标签
能力评估
Purpose & Capability
The PR review, voice transcription, and Discord alert features match the stated purpose, but the actual code-review analysis is still a TODO returning pending_manual_review, and the SKILL usage path references src/code_review_service.py while the provided file is under references/.
Instruction Scope
The runtime accepts a caller-supplied diff URL and voice-note path, then performs network fetches and provider upload; the implemented URL and path checks are weaker than the security claims imply.
Install Mechanism
There is no install spec and the registry declares no env vars or primary credential, while SKILL.md documents OPENAI_API_KEY and optional Discord/base-directory settings. This is disclosed in the skill text but under-declared in metadata.
Credentials
OpenAI and Discord network access is purpose-aligned, but the included healthcheck script reaches host-level services and can restart nginx, docker, code-review-service, and whisper-api-gateway, which is broader than a code-review skill needs unless explicitly operator-approved.
Persistence & Privilege
No background persistence is installed by the artifacts, but scripts/healthcheck.sh writes to /var/log and invokes systemctl restart, requiring elevated host privileges and causing lasting environment changes if run.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ai-code-review-service - 安装完成后,直接呼叫该 Skill 的名称或使用
/ai-code-review-service触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
修复代码质量问题(SSRF/路径遍历/注入防护)、优化健康检查适配
元数据
常见问题
AI Code Review 是什么?
AI-powered service for pull request code reviews with optional voice note transcription, Discord alerts, and secure diff URL handling. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 35 次。
如何安装 AI Code Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ai-code-review-service」即可一键安装,无需额外配置。
AI Code Review 是免费的吗?
是的,AI Code Review 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
AI Code Review 支持哪些平台?
AI Code Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 AI Code Review?
由 terrycarter1985(@terrycarter1985)开发并维护,当前版本 v1.1.0。
推荐 Skills