← 返回 Skills 市场
Code Review
作者
Shadow Rose
· GitHub ↗
· v1.0.4
· MIT-0
603
总下载
0
收藏
2
当前安装
5
版本数
在 OpenClaw 中安装
/install code-review-sr
功能描述
AI-powered code review that combines fast local static analysis with deep AI reasoning. Catches bugs, security vulnerabilities, performance issues, and style...
使用说明 (SKILL.md)
CodeReview — AI-Powered Code Review Assistant
Combines fast local regex pattern matching with deep AI-powered analysis to deliver thorough, actionable code reviews. Runs a local static analysis pre-pass first, then sends code and initial findings to an AI model for comprehensive review including bug detection, security analysis, performance suggestions, and style feedback.
How It Works
- Local Pre-Pass — Regex-based pattern matching runs instantly, catching hardcoded secrets, eval usage, SQL injection patterns, empty catch blocks, long functions, and more.
- AI Deep Review — The full source code and local findings are sent to your chosen AI model (Anthropic, OpenAI, or Ollama) for deep reasoning about bugs, logic errors, performance, and architecture.
- Graceful Fallback — If no API key is set or the AI call fails, you still get local static analysis results. Never blocks your workflow.
Usage
const { CodeReview } = require('./src/code-review');
// AI-powered review (default: anthropic/claude-haiku-4-5)
const reviewer = new CodeReview({ model: 'anthropic/claude-haiku-4-5' });
const result = await reviewer.review('./src/auth.js');
console.log(result.score); // 1-10
console.log(result.issues); // Array of issues with severity, line, type, message
console.log(result.suggestions); // Actionable improvement suggestions
console.log(result.summary); // Concise quality summary
console.log(result.aiPowered); // true
// Review an entire directory
const dirResult = await reviewer.reviewDir('./src', {
include: ['*.js', '*.ts'],
exclude: ['node_modules', '.git', 'dist'],
concurrency: 3
});
console.log(dirResult.averageScore);
console.log(dirResult.totalIssues);
Model Options
| Provider | Example | API Key Env Var |
|---|---|---|
| Anthropic | anthropic/claude-haiku-4-5 |
ANTHROPIC_API_KEY |
| OpenAI | openai/gpt-4o-mini |
OPENAI_API_KEY |
| Ollama (local) | ollama/llama3 |
None required |
// OpenAI
const reviewer = new CodeReview({ model: 'openai/gpt-4o-mini' });
// Local Ollama
const reviewer = new CodeReview({ model: 'ollama/codellama' });
// Local-only (no AI, regex patterns only)
const reviewer = new CodeReview();
const result = await reviewer.review('./src/app.js');
// result.aiPowered === false
What It Catches
| Category | Examples |
|---|---|
| Bugs | Null references, off-by-one errors, race conditions, empty catch blocks |
| Security | SQL injection, XSS, hardcoded secrets, eval usage |
| Performance | N+1 queries, unnecessary loops, memory leaks |
| Style | Inconsistent naming, long functions, dead code, console.log in production |
| Logic | Unreachable code, redundant conditions |
| Maintainability | Deeply nested callbacks, magic numbers, TODO/FIXME markers |
Output Format
{
"file": "./src/auth.js",
"score": 5,
"issues": [
{
"severity": "high",
"line": 42,
"type": "security",
"message": "User input passed directly to SQL query without parameterization"
},
{
"severity": "medium",
"line": 87,
"type": "bugs",
"message": "Empty catch block silently swallows database connection errors"
}
],
"suggestions": [
"Use parameterized queries or an ORM to prevent SQL injection on line 42",
"Add error logging in the catch block on line 87",
"Extract the authentication logic into a separate middleware module"
],
"summary": "The auth module has a critical SQL injection vulnerability and several error handling gaps. Core logic is sound but needs security hardening.",
"totalIssues": 2,
"lines": 142,
"aiPowered": true,
"model": "anthropic/claude-haiku-4-5"
}
Language Support
Works with any language your AI model understands. The local pre-pass targets common patterns across languages. AI review tested with:
JavaScript, TypeScript, Python, Go, Rust, Java, C#, Ruby, PHP, Swift, Kotlin
Technical Details
- Zero npm dependencies — Pure Node.js using only built-in
https,http,fs, andpathmodules - File truncation — Files are truncated at 8,000 characters before sending to AI to stay within token limits
- Concurrency control — Directory reviews process files in configurable parallel batches (default: 3)
- Graceful degradation — AI failures never crash; local results are always available
⚠️ Disclaimer
This software is provided "AS IS", without warranty of any kind, express or implied.
USE AT YOUR OWN RISK.
- The author(s) are NOT liable for any damages, losses, or consequences arising from the use or misuse of this software — including but not limited to financial loss, data loss, security breaches, business interruption, or any indirect/consequential damages.
- This software does NOT constitute financial, legal, trading, or professional advice.
- Users are solely responsible for evaluating whether this software is suitable for their use case, environment, and risk tolerance.
- No guarantee is made regarding accuracy, reliability, completeness, or fitness for any particular purpose.
- The author(s) are not responsible for how third parties use, modify, or distribute this software after purchase.
By downloading, installing, or using this software, you acknowledge that you have read this disclaimer and agree to use the software entirely at your own risk.
DATA DISCLAIMER: When an AI model is configured, this software sends your source code and static analysis findings to the configured provider (Anthropic, OpenAI, or a local Ollama instance). Do not run it over code containing secrets or sensitive data unless you understand where data is sent. Without an API key, all analysis is local-only. The author(s) are not responsible for data loss, corruption, or unauthorized access resulting from software bugs, system failures, or user error. Always maintain independent backups of important data. When AI models are configured, file contents are sent to the respective AI provider's API (Anthropic, OpenAI, or your local Ollama instance). No data is transmitted externally when running in local-only mode (no model configured).
Support & Links
| 🐛 Bug Reports | [email protected] |
| ☕ Ko-fi | ko-fi.com/theshadowrose |
| 🛒 Gumroad | shadowyrose.gumroad.com |
| @TheShadowyRose | |
| 🐙 GitHub | github.com/TheShadowRose |
| 🧠 PromptBase | promptbase.com/profile/shadowrose |
Built with OpenClaw — thank you for making this possible.
🛠️ Need something custom? Custom OpenClaw agents & skills starting at $500. If you can describe it, I can build it. → Hire me on Fiverr
安全使用建议
This skill appears to do what it says: it runs a local regex pre-pass and (optionally) sends code and the local findings to a chosen AI model for a deeper review. Important considerations before installing or using it:
- If you configure Anthropic or OpenAI, your source code (up to 8,000 characters per file) and any local findings will be transmitted to those third-party services. Do not use those remote providers for proprietary, sensitive, or regulated code you cannot share. Prefer a local Ollama instance for fully local reviews.
- API keys are optional; the skill will run local-only analysis without them. If you do provide keys, use dedicated, scoped keys and rotate them if needed.
- The skill enforces a strict JSON output expectation from the model. This is normal for reliable parsing but may cause parse errors if the remote model returns unexpected text.
- The local regex patterns may surface false positives (e.g., secret detection). Review flagged issues manually before acting.
If you need greater assurance: review the full src/code-review.js yourself, run the tool in an isolated environment, or use a local Ollama deployment to avoid sending code off-host.
功能分析
Type: OpenClaw Skill
Name: code-review-sr
Version: 1.0.4
The CodeReview bundle is a legitimate AI-powered static analysis tool that performs local regex-based checks and optional deep analysis via Anthropic, OpenAI, or Ollama APIs. The code in `src/code-review.js` is transparent, uses only built-in Node.js modules, and contains no evidence of malicious intent, data exfiltration to unauthorized endpoints, or hidden backdoors. The documentation in `SKILL.md` and `README.md` clearly discloses that source code is sent to configured AI providers for analysis.
能力评估
Purpose & Capability
Name/description match the implementation: a local regex pre-pass plus optional AI-powered review. Optional API keys for Anthropic/OpenAI and local Ollama are expected for the described functionality. No unrelated binaries, config paths, or credentials are requested.
Instruction Scope
SKILL.md and src/code-review.js explicitly send file contents (truncated to 8000 chars) and local findings to the chosen AI provider. That behavior is consistent with a code-review tool but means source (including secrets) will be transmitted to external services when using remote providers. The skill also builds a strict system prompt asking the model to output JSON-only — this is expected for parsing but was flagged as a prompt-override pattern by static scanning.
Install Mechanism
Instruction-only plus a single JS source file; no install spec, no external downloads, and the code claims zero npm dependencies (uses built-in Node modules). No high-risk installation behavior detected.
Credentials
No required environment variables are declared. The code optionally reads ANTHROPIC_API_KEY / CLAUDE_API_KEY, OPENAI_API_KEY, and OLLAMA_HOST/OLLAMA_PORT — all directly relevant to choosing a remote or local model. These optional creds are proportional to the stated purpose.
Persistence & Privilege
Skill is not marked always:true and does not request persistent system-wide privileges. It does not modify other skills' configs or request elevated system access.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install code-review-sr - 安装完成后,直接呼叫该 Skill 的名称或使用
/code-review-sr触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
**Added environment variable documentation and improved data use disclaimer.**
- Declared required and optional environment variables for Anthropic, OpenAI, and Ollama integration in SKILL.md.
- Clarified which environment variables are used for each provider (e.g., ANTHROPIC_API_KEY, OPENAI_API_KEY, OLLAMA_HOST, OLLAMA_PORT).
- Updated the data disclaimer to warn users not to analyze sensitive code with external AI, and clarified data handling behavior.
- Version bumped to 1.0.4.
v1.0.3
- Version bump to 1.0.3.
- Updated documentation in SKILL.md to reflect the new version number.
- No functional code changes indicated.
v1.0.2
- Adds fast local static analysis as a pre-pass, using regex matching to catch common security issues, bugs, and code smells before AI review.
- Supports Anthropic, OpenAI, and Ollama models; introduces graceful fallback to local-only analysis if no API key is set or AI call fails.
- New directory review feature with concurrency control for batch analysis of multiple files.
- Expanded model and usage documentation with detailed output format and improved language support description.
- Updates tags and skill description for improved discoverability and clarity.
v1.0.1
- Updated SKILL.md to add a skill slug and correct the display name
- Fixed encoding issue: removed replacement character from name and title
- Incremented version number to 1.0.1
v1.0.0
Initial upload
元数据
常见问题
Code Review 是什么?
AI-powered code review that combines fast local static analysis with deep AI reasoning. Catches bugs, security vulnerabilities, performance issues, and style... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 603 次。
如何安装 Code Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install code-review-sr」即可一键安装,无需额外配置。
Code Review 是免费的吗?
是的,Code Review 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Code Review 支持哪些平台?
Code Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Code Review?
由 Shadow Rose(@theshadowrose)开发并维护,当前版本 v1.0.4。
推荐 Skills