← 返回 Skills 市场

GitLab MR Code Review

Name: GitLab MR Code Review
Author: gotoloops

作者 gotoloops · GitHub ↗ · v1.0.3 · MIT-0

cross-platform ⚠ suspicious

149

总下载

当前安装

版本数

在 OpenClaw 中安装

/install gitlab-auto-review

功能描述

Automated AI code review for GitLab Merge Requests via polling. Periodically checks for open MRs, reviews code diffs for security vulnerabilities, bugs, and...

使用说明 (SKILL.md)

GitLab MR Code Review

Polling-based automated code review for GitLab MRs.

Architecture

Cron (*/2 * * * *) → gitlab-api.js list-mrs → skip reviewed → fetch diff → AI review → post comments/note

No webhook server — pure polling
Reviewed MRs tracked in {baseDir}/mr-reviewed.json

Setup

Create {baseDir}/.env with your GitLab credentials:
```
GITLAB_URL=https://gitlab.example.com
GITLAB_TOKEN=glpat-xxxxxxxxxxxxxxxxxxxx
```
The script auto-loads this file. Environment variables take precedence (won't be overwritten if already set).
Test: node {baseDir}/scripts/gitlab-api.js get-version
Install cron worker — see references/cron-setup.md for the full command

API Script Reference

node {baseDir}/scripts/gitlab-api.js get-version                              # Test connection
node {baseDir}/scripts/gitlab-api.js list-mrs                                 # List open MRs
node {baseDir}/scripts/gitlab-api.js list-mrs --project \x3Cproject_path>        # Filter by project
node {baseDir}/scripts/gitlab-api.js get-changes \x3Cproject_id> \x3Cmr_iid>        # Fetch MR diff
node {baseDir}/scripts/gitlab-api.js get-file \x3Cproject_id> \x3Cbranch> \x3Cpath>    # Fetch file content
node {baseDir}/scripts/gitlab-api.js post-comment --file \x3Cjson> \x3Cpid> \x3Ciid>   # Inline comment (use --file!)
node {baseDir}/scripts/gitlab-api.js post-note \x3Cproject_id> \x3Cmr_iid> '\x3Ctext>' # Summary note

post-comment JSON format

{
  "body": "**[Critical]** sql_injection\
\
Raw query with user input.",
  "position": {
    "base_sha": "abc123",
    "start_sha": "def456",
    "head_sha": "ghi789",
    "new_path": "src/db.js",
    "new_line": 42
  }
}

base_sha/start_sha/head_sha come from get-changes output's diff_refs.

Review Rules

Default: references/review-guidelines.md — severity levels, output format, what to skip
Per-project: Place .gitlab-review-prompt.md in the repo root; the worker auto-fetches it via get-file

Troubleshooting

Problem	Fix
MRs not reviewed	`openclaw cron list` — is worker enabled?
API errors	`node {baseDir}/scripts/gitlab-api.js get-version`
Duplicate reviews	Check `{baseDir}/mr-reviewed.json` exists and is writable; ensure cron prompt has explicit "never re-review" rule at highest priority
Garbled comments	Use `--file` mode for `post-comment` (Windows PowerShell encoding)
Wrong line numbers	`new_line` must be the line number in the NEW version of the file

安全使用建议

This skill appears to do what it says, but take these precautions before enabling it: - Review the included script (scripts/gitlab-api.js) yourself — it makes only GitLab API calls and writes/reads a local reviewed-log file. - Use a least-privilege GitLab token: grant only the scopes needed to read MRs and post comments/notes (avoid full admin scopes). Prefer a project-scoped token if possible. - Protect the .env file and any stored token (file permissions, secrets manager) and rotate the token if compromised. - Test the worker in a safe/test project first to verify behavior and comment formatting. - Note the cron setup instructs the worker to run without prompts — ensure you want an unattended process that will post directly to MRs. - Minor technical notes: the helper uses md5-based line_code (comment text said SHA256), and it relies on Node's fetch availability (Node 18+ or polyfill). Ensure your environment matches. If you want tighter control, run the script manually or limit the cron schedule while evaluating, and confirm the token scope before granting it to the worker.

功能分析

Type: OpenClaw Skill Name: gitlab-auto-review Version: 1.0.3 The skill is a legitimate automation tool for GitLab Merge Request reviews via polling. It uses a Node.js helper script (gitlab-api.js) to interact with the GitLab API using user-provided credentials (GITLAB_TOKEN). The instructions in SKILL.md and cron-setup.md are strictly aligned with the stated purpose of checking for new MRs, fetching diffs, and posting AI-generated feedback. The implementation includes defensive practices, such as using temporary files for JSON payloads to avoid shell injection or encoding issues. No evidence of data exfiltration, unauthorized execution, or malicious prompt injection was found.

能力标签

crypto

能力评估

✓ Purpose & Capability

Name/description (automated MR review) align with requested binaries (node), required env vars (GITLAB_URL, GITLAB_TOKEN), and included scripts that call the GitLab API. The primary credential is the GitLab token as expected.

ℹ Instruction Scope

SKILL.md and cron instructions stay inside the review workflow (polling MRs, fetching diffs, posting comments/notes). They explicitly direct the agent to read/write {baseDir}/mr-reviewed.json and to create a local .env with credentials (expected for an autonomous worker). The cron message instructs the worker to "Do not ask for permission — execute directly," which is normal for unattended cron workers but worth noting because it emphasizes autonomous actions.

✓ Install Mechanism

No install spec — instruction-only with a single local JS helper script. Nothing is downloaded or installed from external arbitrary URLs.

✓ Credentials

Only GITLAB_URL and GITLAB_TOKEN are required, which are proportional to the task. No unrelated credentials, secrets, or unexpected config paths are requested.

ℹ Persistence & Privilege

Skill doesn't set always:true. The provided cron setup will create a persistent scheduled worker that runs autonomously (the cron message explicitly tells the worker to act without asking). This is reasonable for automation but increases how often the token is used and the blast radius if the token has broad scopes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install gitlab-auto-review
安装完成后，直接呼叫该 Skill 的名称或使用 /gitlab-auto-review 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

Version 1.0.3 - Added troubleshooting guidance: clarify that cron prompt should have an explicit "never re-review" rule at highest priority to prevent duplicate reviews. - No code or functional changes; documentation update only.

v1.0.1

- Updated setup instructions to clarify creation and use of the `{baseDir}/.env` file for GitLab credentials. - Noted that environment variables take precedence over `.env` values and will not be overwritten if already set. - No functional changes to the skill itself; documentation improvements only.

v1.0.0

- Initial release: Automated AI code review for GitLab Merge Requests via polling. - Reviews code diffs for security, bugs, and best practices, posting inline comments and summary notes directly on GitLab. - Supports custom project-level review rules with `.gitlab-review-prompt.md`. - Simple setup: configure via environment variables and cron job; no webhooks required. - Includes troubleshooting tips and a detailed API script reference for integration and testing.

元数据

Slug gitlab-auto-review

版本 1.0.3

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 3

常见问题