功能描述

Automated code review for GitHub pull requests using Claude LLM. PR analysis, security scanning, and style checking.

使用说明 (SKILL.md)

🔍 Code Review Automation

Name: Code Review Automation
Author: hirofumiko

Automated code review for GitHub pull requests using Claude LLM

Automatically analyze GitHub pull requests, provide intelligent code reviews, security scanning, and style checking using Claude AI.

✨ Features

PR Listing - View all pull requests in a repository
PR Details - Get comprehensive information about any PR
File Changes - See exactly what files changed
PR Search - Search PRs by keyword
Repository Info - Get general repository statistics
Claude Analysis - AI-powered code review using Claude LLM
Code Quality Scoring - Automated quality assessment (0-100)
Security Scanning - Automated security vulnerability detection
Style Checking - Automated style and linting checks
Full Review - Complete review with all checks
Configurable - Custom rules via .reviewrc

🚀 Quick Start

1. Install Dependencies

uv pip install PyGithub anthropic rich typer python-dotenv

2. Setup GitHub API Token

Get your GitHub Personal Access Token:

Go to GitHub Settings → Developer settings → Personal access tokens
Generate a new token with repo scope
Create .env file:

GITHUB_TOKEN=your_github_pat_here

3. Review Pull Requests

# List open PRs
code-review list-prs owner/repo

# Show PR details
code-review pr-info owner/repo 123

# Show files changed
code-review pr-files owner/repo 123

# Analyze PR with Claude AI
code-review review-pr owner/repo 123

📋 Commands

`list-prs`

List pull requests from a repository.

code-review list-prs owner/repo

Options:

--state: PR state (open, closed, all) - default: open
--limit: Maximum PRs to show - default: 10

`pr-info`

Show detailed information about a specific PR.

code-review pr-info owner/repo 123

Shows:

Title and description
Author and timestamps
File change statistics
Labels and merge status

`pr-files`

Show files changed in a PR.

code-review pr-files owner/repo 123

Shows:

Changed files
Status (added, modified, deleted)
Additions and deletions per file

`search-prs`

Search pull requests by keyword.

code-review search-prs owner/repo --query "bug"

Options:

--query: Search keyword (required)
--state: PR state (open, closed, all) - default: open
--limit: Maximum PRs to show - default: 10

`repo-info`

Show general repository information.

code-review repo-info owner/repo

Shows:

Repository name and description
Programming language
Stars and forks count
Open issues and PRs
Creation and update dates

`review-pr`

Analyze a pull request using Claude AI.

code-review review-pr owner/repo 123

Shows:

AI-powered code review
Code quality score (0-100)
Security considerations
Best practices
Specific recommendations

Requires:

GITHUB_TOKEN in .env
ANTHROPIC_API_KEY in .env

`security-scan`

Scan a pull request for security vulnerabilities.

code-review security-scan owner/repo 123

Detects:

Exposed secrets (API keys, tokens, passwords)
SQL injection vulnerabilities
Command injection vulnerabilities
Hardcoded credentials
Weak cryptography (MD5, SHA1, RC4, DES)
Unsafe deserialization (pickle)

Options:

--config: Configuration file path

`style-check`

Check a pull request for style and linting issues.

code-review style-check owner/repo 123

Checks:

Line length violations
Naming convention violations
Import order
Blank lines
Whitespace issues
Missing docstrings

Options:

--config: Configuration file path

`full-review`

Run full code review (LLM + Security + Style) on a pull request.

code-review full-review owner/repo 123

Combines:

LLM analysis (code quality score)
Security scanning
Style checking

Options:

--config: Configuration file path
--skip-llm: Skip LLM analysis
--skip-security: Skip security scan
--skip-style: Skip style check

`config-init`

Initialize a default configuration file.

code-review config-init --output .reviewrc

Creates a .reviewrc file with customizable settings for:

Security scanning rules
Style checking rules
LLM analysis settings

🔧 Technical Details

GitHub API Integration

Uses PyGithub library
Authenticates with Personal Access Token
Rate limit handled automatically

LLM Integration

Claude API for code analysis
Intelligent code review comments
Context-aware suggestions
Code quality scoring

Security Scanning

Static analysis for common vulnerabilities
Pattern-based detection
Severity-based categorization
Configurable rules

Style Checking

PEP8 compliance checks
Naming convention validation
Line length enforcement
Import order verification
Whitespace checks

Configuration

YAML/JSON config files
Project-specific settings
Customizable thresholds
.reviewrc support

📊 Examples

# Run full review
code-review full-review facebook/react 34567

# Security scan only
code-review security-scan owner/repo 123

# Style check only
code-review style-check owner/repo 123

# AI analysis only
code-review review-pr owner/repo 123

# List all closed PRs
code-review list-prs owner/repo --state closed --limit 20

# Initialize config
code-review config-init

🔐 Security

GitHub PAT stored in .env file (never committed)
No secrets logged or displayed
IP whitelist recommended

🚧 Roadmap

v0.2.0 - Claude Integration (Completed)

Claude API integration
Automated PR analysis
Intelligent review comments
Code quality scoring

v0.3.0 - Security & Style (Current)

Security vulnerability scanning
Style and linting checks
Automated fix suggestions
Configuration file support
Full review command

v1.0.0 (Planned)

Multi-platform support (GitLab, Bitbucket)
CI/CD integration
Team collaboration features
Review dashboard

📄 License

MIT

🙋 Support

For issues or questions:

Check the documentation
Open an issue on GitHub

安全使用建议

Key things to consider before installing or running: - Metadata mismatch: The registry lists no required environment variables, but SKILL.md and the code require GITHUB_TOKEN and ANTHROPIC_API_KEY. Ask the publisher to correct the registry metadata before trusting automatic installs. - Secrets: This tool will read a .env file and environment variables; do NOT use long-lived or organization-wide GitHub tokens. Create a least-privilege PAT (limit to the minimum repo access) or a repo-scoped token, and prefer revocable/ephemeral credentials. Treat the Anthropic key similarly. - Data exfiltration surface: The tool will send PR diffs / source code to Anthropic (Claude). If your repository contains sensitive code or secrets, be aware you are transmitting that content to an external LLM provider. - Config discovery: ConfigManager searches up to 10 parent directories for .reviewrc / review config files — run the tool from a safe, repository-root directory so it doesn't accidentally read unrelated config files or secrets in parent directories. - Run in an isolated environment: Install dependencies in a virtualenv or container. The SKILL.md uses 'uv', which is nonstandard; verify what 'uv' is and prefer a standard pip/venv workflow. - Review code locally: You have the code bundle — inspect or run tests locally. The included modules (github_client, claude_client, security_scanner) implement the described behavior; no obvious obfuscated exfil endpoints were found in the provided excerpts, but review the remaining truncated files for any unexpected network requests or hardcoded endpoints before use. - Limit logging & outputs: Do not log tokens; prefer environment variables over committing .env; check logger configuration to avoid writing sensitive content to disk or remote services. - If you need LLM-based analysis but cannot expose source, consider running the tool with --skip-llm or running security/style checks only, or use a local/approved LLM endpoint. If you want, I can: (1) scan the remaining truncated files for network calls or suspicious code patterns, (2) extract exact code locations where data is sent to Anthropic/GitHub so you can review the payloads, or (3) produce a minimal threat checklist you can follow before granting credentials.

功能分析

Type: OpenClaw Skill Name: code-review-automation Version: 1.0.2 The code-review-automation bundle is a legitimate tool designed to automate GitHub pull request analysis using the Claude LLM. It features a comprehensive CLI (cli.py), a regex-based security scanner (security_scanner.py) for detecting secrets and common vulnerabilities, and a style checker (style_checker.py). The implementation follows standard security practices, such as using environment variables for API keys and safe YAML loading. The bundle is well-documented, includes an extensive test suite (tests/), and shows no signs of malicious intent, data exfiltration, or unauthorized execution.

能力评估

⚠ Purpose & Capability

The SKILL.md and included Python code clearly implement GitHub and Anthropic (Claude) integrations and require GITHUB_TOKEN and ANTHROPIC_API_KEY, but the registry metadata declares no required environment variables or credentials and states 'instruction-only'. The package contains many code files (Py modules, CLI, clients, scanners) rather than being a pure instruction-only skill — this mismatch is an incoherence you should question.

⚠ Instruction Scope

Runtime instructions and the code will read a .env file and environment variables (GITHUB_TOKEN, ANTHROPIC_API_KEY) and will fetch PR diffs and send diff content to Anthropic (external LLM) for analysis. The ConfigManager auto-discovers config files by searching up to 10 parent directories, which increases filesystem exposure. The behavior (transmitting repository code to an external API, reading config files outside the current repo) is consistent with the tool's purpose but is sensitive and wider-scoped than the registry metadata indicates.

ℹ Install Mechanism

There is no install spec in the registry (low-risk), but SKILL.md instructs users to pip-install dependencies (PyGithub, anthropic, rich, typer, python-dotenv). That is typical but the SKILL.md also uses the 'uv' wrapper in examples (e.g., 'uv pip install', 'uv run'), which is unusual and may require an additional tool. No downloads from arbitrary URLs or extract steps were found in the provided files.

⚠ Credentials

The skill legitimately needs a GitHub PAT and an Anthropic API key for full functionality, and the code reads those from a .env in the skill directory. However, the registry metadata omitted these required env vars (incoherent). The tool's config discovery (searching parent directories) and any logging that writes to disk increase the chance of exposing other local secrets if misconfigured. The number and type of secrets requested (GITHUB_TOKEN, ANTHROPIC_API_KEY) are proportionate to the claimed functionality, but the omission from metadata is a red flag.

ℹ Persistence & Privilege

The skill does not request always: true and does not modify other skills. It can read and write configuration (.reviewrc) in the current directory and will auto-discover config files across parent directories (up to 10 levels). That behavior is plausible for a CLI tool but expands filesystem reach and should be considered when running in sensitive directories.

版本历史

v1.0.2

- Added comprehensive SKILL.md documentation describing all features, commands, technical details, examples, and roadmap for Code Review Automation. - Clarified purpose: Automated code reviews for GitHub pull requests using Claude LLM. - Outlined usage instructions, including installation, setup, and command-line interface. - Provided details on security practices, configuration, and support resources.

元数据

Slug code-review-automation

版本 1.0.2

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题