← 返回 Skills 市场
guitenbay

code-review-for-gitcode

作者 hummel mao · GitHub ↗ · v0.1.3 · MIT-0
cross-platform ✓ 安全检测通过
319
总下载
2
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install code-review-for-gitcode
功能描述
Handles full GitCode PR code reviews by automating security scans, manual analysis, selecting top issues, formatting results, and optionally posting review c...
使用说明 (SKILL.md)

Code Review Skill

Complete 5-step code review workflow for GitCode PRs.

📁 Temp Directory Management

所有审查过程中生成的临时文件必须存放在 temp/ 目录下

文件 说明
temp/review_result.json Step 1 自动化扫描结果
temp/top3_issues.json Step 3 选择的 Top 问题
temp/formatted_review.json Step 4 格式化后的评论
temp/*.py 脚本运行时缓存的文件
temp/* 获取的 diff 文件,下载的代码文件

⚠️ 重要:审查完成后必须清理 temp/ 目录,删除所有临时文件。

5-Step Review Process

Step 1: Automated Scanning

Run script to detect critical issues:

python scripts/review_pr.py \x3Cpr_url> [token]

Detects: SQL injection, command injection, XSS, eval(), hardcoded credentials, resource leaks, infinite loops.

Features:

  • Automatic line number verification - Downloads the actual file and verifies line numbers match the code snippets
  • Smart caching - Avoids redundant downloads for the same PR
  • Line number correction - Automatically fixes incorrect line numbers and logs changes

Output: temp/review_result.json (with verified line numbers)

Step 2: Manual Review (REQUIRED)

Always read all changed code manually. Script misses:

  • Logic errors and edge cases
  • Design flaws
  • Performance issues
  • Missing error handling
  • Business logic errors
  • Code duplication
  • Test coverage gaps

How to get diff:

curl -H "Authorization: Bearer \x3Ctoken>" \
  "https://gitcode.com/api/v5/repos/\x3Cowner>/\x3Crepo>/pulls/\x3Cnumber>/diff"

Important: For each issue found, record:

  • File path: e.g., src/components/Table.tsx
  • Line range: e.g., L42-L45 (the line numbers of the problematic code)
  • Problem code: The actual code snippet
  • Description: Detailed explanation of the issue
  • Suggestion: Specific fix recommendation

How to find the correct line number in the new file:

Use the provided helper script to find exact line numbers:

# Single line
python scripts/find_line_numbers.py \x3Cfile_path> "code snippet"

# Multi-line (use \
 to separate lines)
python scripts/find_line_numbers.py \x3Cfile_path> "line1\
line2\
line3"

Example:

python scripts/find_line_numbers.py file_parser.py "return entries"
# Output: 第 119 行

python scripts/find_line_numbers.py file_parser.py "line.startswith('[ERROR] HCCL') or\
                        line.startswith('[INFO] HCCL')"
# Output: 第 103-104 行

Important: The position in your JSON must be the last line of the problematic code range (e.g., if problem spans L103-L105, use 105).

Manual method (if script unavailable):

When reviewing a diff file, the line numbers shown in the diff (after @@ markers) may not match the actual line numbers in the new file. To find the correct position for PR comments:

Understanding diff hunk headers:

@@ -old_start,old_count +new_start,new_count @@
  • -old_start,old_count: Old file starting line and number of lines
  • +new_start,new_count: New file starting line and number of lines

How to calculate exact line numbers in the new file:

  1. Find the hunk header with +new_start (the number after +)
  2. Count lines from that starting number, including:
    • Context lines (no prefix)
    • Added lines (starting with +)
    • Modified lines (shown as removed - then added +)
  3. Exclude the hunk header line itself and file metadata lines

Example:

@@ -40,7 +39,7 @@ bool QueryTableDataDetailHandler::HandleRequest(...)
     } else if (request.params.type == "1") {
         ComputeLinkPageDetail(request, response, database);
     }
-    session.OnResponse(std::move(responsePtr));
+    SendResponse(std::move(responsePtr), true);
     return true;
 }
  • New file starts at line 39
  • Line 39: } else if ...
  • Line 40: ComputeLinkPageDetail...
  • Line 41: }
  • Line 42: SendResponse(std::move(responsePtr), true);This is line 42
  • Line 43: return true;

  1. For new files (file mode is new file mode):

    # Count only lines starting with '+' (excluding '+++ ' header)
$lines = Get-Content pr_diff.txt
$inFile = $false
$lineNum = 0
for ($i = 0; $i -lt $lines.Count; $i++) {
    if ($lines[$i] -match "^diff --git.*your-file.py") { $inFile = $true }
    if ($inFile -and $lines[$i] -match "^\+.*your-target-code") {
        Write-Output "New file line: $lineNum"
        break
    }
    if ($inFile -and $lines[$i] -match "^\+" -and $lines[$i] -notmatch "^\+\+\+") {
        $lineNum++
    }
}

  2. Quick check: The position should point to the last line of the problematic code range in the new file (after PR changes).

Tip: If GitCode API returns 400 Bad Request with "diff failed to be generated due to invalid params under position param", the line number is likely incorrect.

Important: Always verify by manually counting from the +new_start line number in the hunk header. Do not guess or estimate line numbers.

Step 3: Select Top 3 Issues

⚠️ 流程决策

问题数量 后续步骤
0 个 直接退出,输出"0 问题,审查通过",跳过 Step 3/4/5
1-3 个 继续 Step 3/4,按实际数量处理(不必凑满 3 个)
>3 个 选择最严重的 3 个问题,继续后续步骤

Combine automated + manual findings:

  • Filter false positives from script
  • Add issues found in manual review
  • Sort by severity (1-10)
  • Select top issues (up to 3, no need to fill exactly 3)

Note: 当问题数量为 0 时,直接退出整个审查流程,无需生成任何 JSON 文件。

Generate json format file temp/top3_issues.json for these issues to use in next step.

temp/top3_issues.json must be created in the directory of format_review.py for the next step to read.

Important:

  • The description field must contain the complete description from Step 1 and Step 2 findings, not a simplified version. Include all context and details.
  • The position field must be the last line number of the problematic code range (e.g., if problem code is at L42-L45, use 45)

Structure:

{
  "meta": {
    "total_issues": 5,
    "selected_issues": 3,
    "automated_count": 2,
    "manual_count": 3
  },
  "top3_issues": [
    {
      "number": 1,
      "path": "src/file.py",
      "lines": "L42-L45",
      "position": 45,
      "severity": 8,
      "type": "安全问题",
      "description": "Complete description from Step 1/2 findings, not simplified",
      "suggestion": "Detailed suggestion with specific actions",
      "code": "problematic code snippet from L42-L45",
      "code_context": ""
    }
    // 问题数量可以是 1-3 个,不必强制凑满 3 个
  ]
}

Note: position uses the last line of the code range for GitCode API positioning.

Important: The position must be the line number in the new file (after PR changes), not the line number in the diff file. See Step 2 for how to calculate the correct line number.

If total issues = 0: 跳过整个 Step 3/4/5,直接输出审查通过结论。

If total issues 1-3: 按实际数量继续后续步骤,无需凑满 3 个。

After generating temp/top3_issues.json, display the issues in Markdown format:

Top 3 Issues Selected

🔴 问题 #1 | 可维护性问题 | 6/10

文件: server/src/.../CheckProjectValidHandler.cpp**

问题代码行: L119-L124

问题代码:

bool CheckProjectValidHandler::CheckPathSafety(
    const std::string& path,
    ProjectErrorType& error)
{
    ...
}
review 内容
描述 代码重复,违反DRY原则
建议 提取公共函数到 FileUtil 类中

🟠 问题 #2 | 测试覆盖问题 | 6/10

文件: server/src/.../CheckProjectValidHandler.cpp**

问题代码行: L119

问题代码:

bool CheckProjectValidHandler::CheckPathSafety
review 内容
描述 缺少单元测试
建议 补充单元测试覆盖各种场景

🟡 问题 #3 | 代码一致性问题 | 5/10

文件: server/src/.../TimelineProtocolRequest.h**

问题代码行: L68-L72

问题代码:

bool isSafePath = std::any_of(path.begin(), path.end(), ...)
review 内容
描述 逻辑不一致,缺少 IsRegularFile 检查
建议 统一使用 FileUtil::CheckPathSafety

Total: 3 issues selected (or actual count if less than 3)

Note: position in JSON uses the last line number (e.g., L119-L124 → position: 124)

After generating temp/top3_issues.json, immediately proceed to Step 4 to format the output.

If total issues = 0: 直接跳过 Step 3/4/5,输出审查通过结论。

Step 4: Format Output

Format issues to structured JSON:

python scripts/format_review.py temp/top3_issues.json temp/formatted_review.json

Input:

  • temp/top3_issues.json from Step 3

Output: temp/formatted_review.json

temp/formatted_review.json must be created in the directory of post_review.py for the next step to read.

Structure:

{
  "comments": [
    {
      "number": 1,
      "path": "src/file.py",
      "position": 42,
      "severity": 8,
      "type": "安全问题",
      "body": "【review】..."
    }
  ]
}

Comment Format (in body field):

【review】{问题类型}。{问题描述}。{修改建议}。

After generating formatted_review.json, display the formatted content:

Step 4: Formatted Review Comments (Ready to Post)

以下 3 条评论将提交到 PR:

1. `CheckProjectValidHandler.cpp:119`
   类型: 可维护性问题 | 严重程度: 6/10
   内容: 【review】代码重复,违反DRY原则...

2. `CheckProjectValidHandler.cpp:119`
   类型: 测试覆盖问题 | 严重程度: 6/10
   内容: 【review】缺少单元测试...

3. `TimelineProtocolRequest.h:68`
   类型: 代码一致性问题 | 严重程度: 5/10
   内容: 【review】逻辑不一致...

Output: formatted_review.json

Step 5: Post to PR (Optional) - ⚠️ 必须等待用户确认

🚨 重要警告:此步骤涉及向 PR 发布评论,属于外部写入操作。必须先显示预览并等待用户明确确认(yes/no),严禁擅自执行!

Preview and confirm before posting:

python scripts/post_review.py \x3Cowner> \x3Crepo> \x3Cpr_number> \x3Ctoken> [temp/formatted_review.json]

Parameters:

  • owner: Repository owner (e.g., Ascend)
  • repo: Repository name (e.g., msinsight)
  • pr_number: PR number (e.g., 277)
  • token: GitCode access token
  • temp/formatted_review.json: Output from Step 4 (default: temp/formatted_review.json)

Example:

python scripts/post_review.py Ascend msinsight 277 your_token_here temp/formatted_review.json

Flow (必须严格遵守):

  1. Read temp/formatted_review.json from Step 4
  2. Display preview of all comments
  3. ⚠️ 必须等待用户明确确认:询问用户 "是否确认提交以上评论?(yes/no)"
  4. 只有用户回复 'yes' 或 '是' 后才执行提交,否则取消
  5. 审查完成后清理 temp 目录(见下方)

🧹 Temp Directory Cleanup

⚠️ 审查完成后必须清理 temp 目录

# 删除 temp 目录及其所有内容
Remove-Item -Recurse -Force temp/
# 或
rm -rf temp/

清理时机

  • 当问题数量为 0 时,审查通过后立即清理
  • 当问题数量 >0 时,完成 Step 5(发布评论)后清理
  • 如果用户拒绝发布评论,也需清理

保留情况:无

Severity Scale

Score Level Action
9-10 Critical Block merge
7-8 High Strongly recommend fix
5-6 Medium Recommend fix
3-4 Low Optional fix
1-2 Nit Style suggestion

Manual Review Checklist

Logic & Correctness

  • Edge cases (null, empty, max values)
  • Error handling paths
  • Concurrency/thread safety
  • Resource cleanup

Design & Architecture

  • Single responsibility
  • No code duplication
  • Clean interfaces
  • Clear dependencies

Performance

  • Algorithm complexity
  • N+1 queries
  • Large data handling
  • Memory usage

Security

  • Input validation
  • Output encoding
  • Authorization checks
  • Sensitive data handling

Testing

  • Tests cover changes
  • Edge cases tested
  • Error paths tested

API Reference

  • Get PR files: GET /api/v5/repos/{owner}/{repo}/pulls/{number}/files
  • Get diff: GET /api/v5/repos/{owner}/{repo}/pulls/{number}/diff
  • Post comment: POST /api/v5/repos/{owner}/{repo}/pulls/{number}/comments

Scripts

Script Purpose Step Input Output Features
review_pr.py Automated scanning 1 PR URL + Token temp/review_result.json Auto line verification, caching
find_line_numbers.py Find code line numbers 2 File path + code snippet Line number(s) Exact match, multi-line support
format_review.py Format to JSON 4 temp/top3_issues.json temp/formatted_review.json GitCode API format
post_review.py Post to PR 5 temp/formatted_review.json PR comments Batch posting with confirmation

Script Details

review_pr.py

New Features (v2.0):

  1. Automatic Line Number Verification

    • Downloads modified files from PR branch
    • Uses code snippets to find exact line numbers
    • Corrects mismatches automatically

  2. File Caching

    • Caches downloaded files to avoid redundant API calls
    • Cache key: {owner}/{repo}/{sha}/{file_path}

  3. Verification Logging

    • Logs line number corrections: Line number corrected: file.ts:275 -> 167
    • Warns if verification fails
安全使用建议
This skill appears to be a legitimate GitCode PR review tool, but check a few things before running it with real credentials: - Provide a least-privilege GitCode token (repo or minimal scope) and prefer a machine/service account rather than a personal token. The scripts require a token passed on the command line. - Verify the API endpoints: some code uses https://gitcode.com/api/v5 while other files and the documentation reference https://api.gitcode.com/api/v5. Confirm which domain your GitCode instance uses and update the script accordingly to avoid accidental requests to an unintended host. - Confirm file paths/output locations: SKILL.md expects temp/ files in the repo, but review_pr.py creates an OS temp dir (tempfile.mkdtemp) and format_review.py defaults to formatted_review.json in cwd. Decide where temporary/output JSON should live and ensure the workflow (Step1→Step3→Step4→Step5) reads/writes consistent filenames/locations. - Review and test locally in an isolated environment (or sandbox) on a non-production repo to validate end-to-end behavior and to preview comments before posting to live PRs. post_review.py prints a preview but will post comments when run — be careful to avoid noisy/accidental posts. - Inspect network endpoints if you have an internal GitCode or self-hosted domain to ensure all calls go to expected hosts (raw.gitcode.com / api.gitcode.com). If you need to audit further, open the full review_pr.py (truncated in the manifest) to confirm there are no hidden network calls. If you want, I can: (1) list the exact places to change the base_url and file paths to make the workflow consistent; (2) produce a small checklist/commands to safely test the skill against a sample PR without posting comments.
功能分析
Type: OpenClaw Skill Name: code-review-for-gitcode Version: 0.1.3 The skill bundle provides a legitimate workflow for performing code reviews on GitCode pull requests. It includes scripts for automated security scanning (review_pr.py), line number verification (find_line_numbers.py), and posting comments via the GitCode API (post_review.py). The instructions in SKILL.md emphasize security best practices such as cleaning up temporary files and requiring explicit user confirmation before performing external write operations. No evidence of data exfiltration, unauthorized remote access, or malicious intent was found.
能力标签
requires-oauth-token
能力评估
Purpose & Capability
The name/description (GitCode PR code review) align with the included scripts: automated scanning (review_pr.py), helper for finding line numbers, formatting (format_review.py), and posting comments (post_review.py). No unrelated environment variables, binaries, or external services are requested beyond GitCode API/raw endpoints, which is proportional to the stated purpose.
Instruction Scope
SKILL.md instructs downloading diffs/files, running the provided scripts, and posting comments to GitCode — all expected. However, SKILL.md mandates placing temporary files under a repo-local temp/ directory, while the main review_pr.py uses tempfile.mkdtemp() (system temp) and the format/post scripts default to writing/reading files in the current working directory. There are also small field-name/format assumptions across steps (e.g., issues use keys like 'line' vs 'position') that may cause runtime mismatch; these are implementation bugs rather than scope creep.
Install Mechanism
No install spec; this is instruction + bundled scripts only. No external archives or installers are fetched by the skill itself. That minimizes install-time risk. The code does perform network calls at runtime (GitCode API/raw endpoints).
Credentials
The skill does not declare required env vars and accepts a GitCode token as a CLI argument, which the scripts use to call GitCode APIs and download raw files. Requesting a GitCode access token is expected and proportionate. There are no requests for unrelated credentials or system secrets.
Persistence & Privilege
The skill does not request permanent inclusion (always:false). It writes temporary and output JSON files and posts comments to PRs when invoked — expected behavior. It does not modify other skills or system-wide configuration.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install code-review-for-gitcode
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /code-review-for-gitcode 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.3
**Summary: Adds mandatory temp directory usage, strict file clearing, and automatic line number verification to the review process.** - All temporary/code review files are now required to be stored in the `temp/` directory; cleanup after review is mandatory. - Automated scanning now checks and auto-corrects line numbers against actual file content, with smart download caching. - Step 3 now supports exits with "0 issues, review passed" if no problems found, and does not require selecting 3 issues if fewer exist. - JSON output locations updated: all outputs (e.g., `review_result.json`, `top3_issues.json`, `formatted_review.json`) must be in `temp/`. - Step-by-step instructions updated for clarity, and file management requirements made explicit throughout.
v0.1.2
## v0.1.2 Changelog - Added a helper script (`scripts/find_line_numbers.py`) to accurately locate code line numbers in files for manual review and PR comments. - Updated documentation in SKILL.md to include usage instructions for the new line number script. - Provided clearer step-by-step guidance in SKILL.md on mapping diff hunk headers to correct line numbers in the new file, improving review accuracy. - Emphasized the importance of verifying and using the last line of issue code ranges for GitCode API positioning.
v0.1.1
**Adds instructions for finding correct line numbers when commenting on PRs.** - Step 2 now explains how to determine the correct `position` in the new file for PR comments, including examples for new and modified files. - Adds a PowerShell code snippet for calculating new file line numbers from a diff. - Warnings were added about API errors caused by incorrect line numbers when posting comments. - In Step 3, emphasizes that `position` must be the line number in the new post-PR file, not the diff. - No feature or workflow changes; purely documentation improvements.
v0.1.0
- Initial release of Code Review Skill for GitCode PRs. - Implements a complete 5-step code review workflow: automated scanning, manual review, top issue selection, formatted output, and PR comment posting. - Provides clear instructions, scripts, and output formats for each review step. - Includes a detailed manual review checklist and severity scale. - Supports integration with GitCode API for diff retrieval and comment posting. - Designed to combine both automated security checks and comprehensive human review for pull requests.
元数据
Slug code-review-for-gitcode
版本 0.1.3
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 4
常见问题

code-review-for-gitcode 是什么?

Handles full GitCode PR code reviews by automating security scans, manual analysis, selecting top issues, formatting results, and optionally posting review c... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 319 次。

如何安装 code-review-for-gitcode?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install code-review-for-gitcode」即可一键安装,无需额外配置。

code-review-for-gitcode 是免费的吗?

是的,code-review-for-gitcode 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

code-review-for-gitcode 支持哪些平台?

code-review-for-gitcode 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 code-review-for-gitcode?

由 hummel mao(@guitenbay)开发并维护,当前版本 v0.1.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论