← 返回 Skills 市场
supermario11

Cuihua Code Reviewer

作者 supermario11 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
122
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install cuihua-code-reviewer
功能描述
AI-powered code review assistant for OpenClaw agent developers. Automatically analyzes code quality, detects security vulnerabilities, performance issues, an...
使用说明 (SKILL.md)

code-reviewer - AI Code Review Assistant 🔍

Built for AI agent developers who care about code quality.

An intelligent code review assistant that analyzes your codebase and provides detailed, actionable feedback on:

  • 🛡️ Security vulnerabilities
  • Performance bottlenecks
  • 🧹 Code smells and anti-patterns
  • Best practices adherence
  • 📚 Documentation quality

🎯 Why code-reviewer?

When building AI agents with OpenClaw, code quality matters more than ever:

  • Agents often run with elevated permissions
  • Security vulnerabilities can be exploited by malicious prompts
  • Performance issues compound when agents loop
  • Maintainability is critical for evolving agent behavior

code-reviewer understands these unique challenges and provides tailored advice.

🚀 Quick Start

Review a single file

Tell your agent:

"Review the code quality of src/agent.js"

Review an entire directory

"Analyze all Python files in ./skills/my-skill/"

Get a detailed report

"Generate a full code review report for the current project"

📋 What Gets Checked

Security 🛡️

  • Injection vulnerabilities - Command injection, path traversal, eval usage
  • Sensitive data exposure - Hardcoded secrets, API keys in code
  • Unsafe dependencies - Known CVEs in package.json/requirements.txt
  • Permission issues - Overly broad file access, unnecessary privileges

Performance ⚡

  • Inefficient algorithms - O(n²) when O(n) exists, unnecessary loops
  • Memory leaks - Unreleased resources, closure traps
  • Blocking operations - Sync file I/O in async contexts
  • Redundant computations - Repeated calculations, unnecessary allocations

Code Quality 🧹

  • Code smells - Long functions, deep nesting, duplicated code
  • Naming conventions - Inconsistent or unclear variable names
  • Dead code - Unused imports, unreachable statements
  • Magic numbers - Hardcoded values without explanation

Best Practices ✨

  • Error handling - Unhandled promises, swallowed exceptions
  • Testing - Missing tests, low coverage areas
  • Documentation - Missing docstrings, unclear comments
  • Type safety - Missing type annotations (TypeScript/Python)

🎨 Output Format

Terminal Summary

🔍 Code Review Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📁 Files analyzed: 12
⚠️  Issues found: 8

Severity Breakdown:
  🔴 Critical: 1
  🟠 High:     2
  🟡 Medium:   3
  🟢 Low:      2

Top Issues:
  1. [CRITICAL] SQL injection vulnerability in query.js:45
  2. [HIGH] Hardcoded API key in config.js:12
  3. [HIGH] Memory leak in worker.js:78

💡 Run with --detailed for full report

Detailed Markdown Report

Saved to code-review-report.md:

# Code Review Report

**Generated**: 2026-03-24 20:30 PDT
**Project**: my-agent-project
**Files Reviewed**: 12
**Total Issues**: 8

## 🔴 Critical Issues (1)

### 1. SQL Injection Vulnerability
**File**: `src/query.js:45`
**Severity**: CRITICAL

**Issue**:
Unsanitized user input directly interpolated into SQL query.

**Code**:
\`\`\`javascript
const query = `SELECT * FROM users WHERE id = ${userId}`;
\`\`\`

**Impact**:
Allows arbitrary SQL execution. Attacker could read/modify database.

**Fix**:
Use parameterized queries:
\`\`\`javascript
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
\`\`\`

---

## 🟠 High Priority Issues (2)

### 2. Hardcoded API Key
**File**: `config.js:12`
...

⚙️ Configuration

Create .codereview.json in your project root for custom rules:

{
  "severity": {
    "min": "medium",
    "failOnCritical": true
  },
  "ignore": {
    "files": ["*.test.js", "dist/*"],
    "rules": ["magic-numbers"]
  },
  "languages": ["javascript", "python"],
  "output": {
    "format": "markdown",
    "path": "./reports/code-review.md"
  }
}

🧠 How It Works

  1. Parse - Reads your code files using OpenClaw's read tool
  2. Analyze - Uses AI to understand code structure and intent
  3. Detect - Applies security, performance, and quality rules
  4. Report - Generates actionable findings with fix suggestions
  5. Learn - Adapts to your codebase patterns over time

🌟 Features

Multi-Language Support

  • ✅ JavaScript / TypeScript
  • ✅ Python
  • ✅ Go
  • ✅ Rust
  • ✅ Shell scripts
  • 🔄 More languages coming soon

Smart Context Awareness

Understands your project type:

  • OpenClaw skills and plugins
  • Express/Fastify APIs
  • React/Vue frontends
  • CLI tools
  • Lambda functions

Incremental Reviews

Reviews only changed files in Git:

"Review my latest changes"

Team Integration

Share review reports with your team:

  • Export to GitHub PR comments
  • Slack/Discord notifications
  • Email summaries

💡 Usage Examples

Example 1: Pre-commit Review

Agent: Review all staged files before I commit

Output:

✅ All clear! No critical issues found.
💡 3 minor suggestions:
  - Consider adding error handling in auth.js:23
  - Variable 'temp' could use a better name in utils.js:56
  - Add JSDoc for function processData() in api.js:12

Example 2: Security Audit

Agent: Run a security audit on ./src/

Output:

🛡️ Security Audit Results
━━━━━━━━━━━━━━━━━━━━━━━

🔴 1 critical vulnerability found
🟠 2 high-risk issues detected

Details:
1. [CRITICAL] Command injection in exec.js
2. [HIGH] Sensitive data in logs
3. [HIGH] Missing input validation

📄 Full report: security-audit-2026-03-24.md

Example 3: Performance Check

Agent: Find performance bottlenecks in worker.js

Output:

⚡ Performance Analysis
━━━━━━━━━━━━━━━━━━━━━

Found 3 optimization opportunities:

1. Line 45: O(n²) loop - use Map for O(n)
2. Line 67: Sync file read blocks event loop
3. Line 89: Regex compiled in hot path

Estimated improvement: 85% faster

🔒 Privacy & Security

  • Runs locally - Your code never leaves your machine
  • No telemetry - Zero data collection
  • Open source - Audit the code yourself
  • Safe analysis - Never executes your code

📦 Installation

Via ClawHub (Recommended)

clawhub install code-reviewer

Manual Installation

git clone https://github.com/your-username/code-reviewer
cd code-reviewer
clawhub publish .

🤝 Contributing

Found a bug? Have a feature idea?

📜 License

MIT License - see LICENSE for details.

🙏 Acknowledgments

Built with ❤️ by 翠花 for the OpenClaw community.

Special thanks to:

  • OpenClaw team for the amazing framework
  • ClawHub for making skill distribution easy
  • Early adopters for feedback and bug reports

📞 Support

Made with 🌸 by 翠花 | ClawHub Pioneer

安全使用建议
This package appears to be a legitimate local code-review tool, but there are a few red flags to check before you install or run it: 1) Runtime mismatch: the bundle contains a Node script (analyzer.js) but the skill only lists 'git' as a required binary — ensure your environment has Node and that the skill author updates requirements. 2) Undeclared external integrations: examples show posting reports to Slack (SLACK_WEBHOOK_URL) and running an HTTP API server; the skill does not declare any required env vars for these. Only provide webhooks or tokens if you trust the skill and its source. 3) Confirm source and provenance: the registry entry has no homepage and an unknown owner; if you can't audit the code yourself, treat it as higher risk. 4) Audit the code: review analyzer.js and EXAMPLES.md locally before running; pay attention to any code paths that open network connections, spawn processes, or write files outside the project. 5) Run in a restricted environment first: test in an isolated/sandboxed repo or container, avoid giving CI secrets or webhooks until you're confident. 6) If you plan to enable pre-commit hooks or scheduled runs, inspect and control those hooks yourself rather than automatically applying them. If you want me to, I can: list the exact places analyzer.js performs file or network I/O, point out any lines that would execute child processes, or produce a minimal checklist for safely auditing and running this skill.
功能分析
Type: OpenClaw Skill Name: cuihua-code-reviewer Version: 1.0.0 The code-reviewer skill is a static analysis tool designed to identify security vulnerabilities, performance bottlenecks, and code quality issues. The core logic in analyzer.js uses regular expressions to detect patterns such as hardcoded secrets, command injection, and SQL injection, while test-bad-code.js serves as a legitimate test suite for these detections. The tool operates locally, lacks network exfiltration capabilities, and its instructions in SKILL.md are strictly aligned with its stated purpose of assisting developers in improving code safety.
能力评估
Purpose & Capability
The name, description, SKILL.md and included analyzer.js/test files are coherent for a code-reviewer. However the declared requirements list only 'git' while the shipped implementation is a Node script (analyzer.js) — the skill does not declare 'node' or the Node runtime as a required binary. Examples also reference environment variables (e.g., SLACK_WEBHOOK_URL) and features (API server mode, CI/CD integration) that are not declared in requires.env. These omissions are inconsistent with the stated capabilities and should be corrected or explained.
Instruction Scope
Most runtime instructions stay within the code-review scope (reading files, analyzing, generating reports). But examples and SKILL.md include steps that transmit reports externally (Slack webhook example, CI job that uploads reports, an API server example that accepts code over HTTP), and the SKILL.md claims ‘Runs locally - code never leaves your machine’ while also documenting ways to send data to external endpoints. The skill's runtime code (analyzer.js) reads arbitrary files via fs APIs and example scripts show analyzing entire directories and scheduled reviews — which is expected for a reviewer but increases blast radius if paired with external reporting/webhook configuration. Also SKILL.md mentions using OpenClaw's 'read' tool but the implementation uses fs.readFileSync directly — a minor mismatch in how file access is done.
Install Mechanism
There is no external install step that downloads remote archives or runs scripts from arbitrary URLs — the package is instruction+source included in the bundle (analyzer.js, examples, tests). That lowers install-time supply-chain risk. No brew/npm/go downloads or extract-from-URL instructions are present.
Credentials
The skill declares no required environment variables, yet documentation and example code reference process.env.SLACK_WEBHOOK_URL and other env-driven behavior (e.g., sending notifications). The analyzer also scans for hardcoded secrets and contains test code with a fake OpenAI key; that's expected. But lack of declared env requirements (and lack of a declared primary credential) is an omission: if you wire up webhooks or CI, sensitive tokens could be used to transmit data externally. Also omission of 'node' as a required binary is inconsistent with the Node-based analyzer implementation.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform privileges. It does not modify other skills. Examples include installing a pre-commit hook and running scheduled cron jobs — those are user actions and not automatic. Autonomous invocation is enabled by default (disable-model-invocation: false) which is standard; this combined with the above concerns increases impact if the skill were malicious, but on its own is not unusual.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install cuihua-code-reviewer
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /cuihua-code-reviewer 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
🌸 First release! AI-powered code review for OpenClaw agents.
元数据
Slug cuihua-code-reviewer
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Cuihua Code Reviewer 是什么?

AI-powered code review assistant for OpenClaw agent developers. Automatically analyzes code quality, detects security vulnerabilities, performance issues, an... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 122 次。

如何安装 Cuihua Code Reviewer?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cuihua-code-reviewer」即可一键安装,无需额外配置。

Cuihua Code Reviewer 是免费的吗?

是的,Cuihua Code Reviewer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Cuihua Code Reviewer 支持哪些平台?

Cuihua Code Reviewer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Cuihua Code Reviewer?

由 supermario11(@supermario11)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论