← 返回 Skills 市场
gitlab-code-reviewer
作者
Alibek Beldinov
· GitHub ↗
· v1.0.2
386
总下载
1
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install gitlab-code-reviewer
功能描述
Senior-level code review for GitLab merge requests. Use when: reviewing MRs, providing feedback on code quality, security, performance, maintainability, or p...
使用说明 (SKILL.md)
\r \r
GitLab MR Code Review\r
\r
Workflow\r
\r
1. Read credentials and check token scope\r
\r
Credentials: ~/.openclaw/credentials/gitlab.json\r
\r
{\r
"token": "glpat-xxx",\r
"host": "https://gitlab.com",\r
"ignore_patterns": ["*.min.js", "*.lock", "forms/*.json"]\r
}\r
```\r
\r
Required API scopes:\r
- `api` — required for posting inline comments\r
- `read_api` — sufficient for analysis only (no comment posting)\r
\r
**Always run token check first** to know upfront whether comments can be posted:\r
\r
```bash\r
python scripts/gitlab_client.py check-token \x3Cmr_url>\r
```\r
\r
Output includes `"can_write": true/false`. If `false`, skip step 6 and inform the user that the token needs the `api` scope to post comments. Do NOT proceed to analysis and then fail at step 6.\r
\r
### 2. Fetch MR metadata and diff\r
\r
```bash\r
python scripts/gitlab_client.py fetch-mr \x3Cmr_url>\r
python scripts/gitlab_client.py fetch-diff \x3Cmr_url>\r
```\r
\r
`fetch-diff` returns a JSON array. Each entry contains `new_path`, `old_path`, `diff` (unified diff text), and boolean flags `new_file`, `deleted_file`, `renamed_file`.\r
\r
> **Fallback**: if the `/diffs` endpoint returns HTTP 500 (some self-hosted GitLab instances), the script automatically retries via `/changes`. No manual intervention needed.\r
\r
### 3. Filter files\r
\r
Use `ignore_matcher.py` to exclude files before analysis:\r
\r
```python\r
from ignore_matcher import filter_diffs\r
reviewable = filter_diffs(all_diffs) # merges defaults + credentials ignore_patterns\r
```\r
\r
**Default ignore patterns** (always applied, even without credentials file):\r
`*.min.js`, `*.min.css`, `*.lock`, `package-lock.json`, `pnpm-lock.yaml`, `forms/*.json`\r
\r
Binary extensions (`.png`, `.jar`, `.class`, `.map`, etc.) are always skipped.\r
\r
### 4. Analyze the diff\r
\r
- Analyze only modified lines (added/removed in the diff). Do not comment on unchanged context lines.\r
- If the total diff is large, process file-by-file and aggregate results.\r
- Read `references/review-guidelines.md` for all review rules, severity definitions, and comment format.\r
\r
**Focus areas:**\r
- Java / Spring Boot — Clean Code, SOLID, transaction boundaries, lazy loading\r
- MongoDB — query correctness, index coverage, atomicity\r
- PostgreSQL — SQL correctness, isolation levels, index/schema migrations\r
- React / TypeScript — hooks correctness, type safety, XSS, stale closures\r
\r
### 5. Structure the chat summary\r
\r
Group findings by severity:\r
\r
```\r
## Code Review — \x3CMR title> (\x3Csource_branch> → \x3Ctarget_branch>)\r
\r
### Critical\r
- `UserService.java:42` — Transaction wraps HTTP call; holds DB lock during network I/O.\r
\r
### Major\r
- `OrderRepository.java:87` — N+1: `findRolesByUserId` called inside loop. Use batch query.\r
\r
### Minor\r
- `PaymentDto.java:15` — Field name `val` is not descriptive.\r
\r
### Decision: Needs changes\r
```\r
\r
Decision options: **Pass** / **Needs changes** / **Reject**\r
- Pass: no Critical or Major findings\r
- Needs changes: one or more Major findings, no Critical\r
- Reject: one or more Critical findings\r
\r
### 6. Post inline comments to GitLab\r
\r
Only execute this step if `check-token` (step 1) returned `"can_write": true`.\r
\r
**Write comments to a temp JSON file, then post via `post_comments.py`.**\r
Never use `python -c` with inline comment bodies — backticks and special characters break shell escaping.\r
\r
```bash\r
# 1. Write all findings to a JSON file\r
cat > /tmp/mr_comments.json \x3C\x3C 'EOF'\r
[\r
{\r
"file_path": "src/main/UserService.java",\r
"line": 42,\r
"body": "[CRITICAL] Transaction wraps HTTP call...\
\
Suggestion:\
```java\
// fix\
```"\r
}\r
]\r
EOF\r
\r
# 2. Post via script\r
python scripts/post_comments.py \x3Cmr_url> /tmp/mr_comments.json\r
```\r
\r
**How to determine the correct line number** from a diff hunk:\r
\r
```\r
@@ -375,6 +375,8 @@ ← new file starts at line 375\r
unchanged line → 375\r
unchanged line → 376\r
unchanged line → 377\r
+ added line → 378 ← use this number\r
+ added line → 379\r
```\r
\r
Count from the `+A` value in `@@ -X,Y +A,B @@` for new-file lines.\r
\r
Each comment body format (from `references/review-guidelines.md` §8):\r
\r
```\r
[SEVERITY] \x3Cone-line issue>\r
\r
\x3C2-4 sentence explanation referencing the diff.>\r
\r
Suggestion:\r
```\x3Clanguage>\r
\x3Ccorrected snippet>\r
```\r
```\r
\r
**Constraints:**\r
- Do not auto-approve the MR.\r
- Do not add labels or trigger pipelines.\r
- Only post comment-type discussions (no approval API calls).\r
- If a line is not in the diff, the API returns an error — log it and continue with the next comment.\r
- On HTTP 403 `insufficient_scope`, the script stops immediately and prints a fix instruction. Do not retry.\r
\r
## Behavior Rules\r
\r
- Strict engineering tone. No emotional language. No generic praise.\r
- Analyze only the modified code in the diff. Do not speculate about code outside the diff.\r
- Do not log or persist source code content.\r
- Respect ignore patterns strictly.\r
- For large diffs: process per file, deduplicate similar findings across files before final output.\r
\r
## References\r
\r
- **Review rules, severity table, comment format**: `references/review-guidelines.md`\r
- §2 Java & Spring Boot (Clean Code, transactions, N+1, concurrency)\r
- §3 MongoDB (queries, indexes, atomicity)\r
- §4 PostgreSQL (SQL correctness, isolation, migrations)\r
- §5 React & TypeScript (hooks, type safety, security)\r
- §6 SOLID & DDD alignment\r
- §7 Severity classification table\r
- §8 Inline comment format template\r
安全使用建议
This skill appears to implement a legitimate GitLab MR reviewer, but review the following before installing/using it:
- Credentials file: The skill reads ~/.openclaw/credentials/gitlab.json (token + host + ignore_patterns). The registry metadata did not list any required config paths — verify you are comfortable storing your GitLab token at that path and that it is the correct token for the MR host.
- Token-host mismatch: The CLI's 'check-token' step verifies the token against the host stored in the credentials file, but later API calls use the host parsed from the MR URL. If you store a token for gitlab.com but review an MR on gitlab.example.com (or vice versa), the 'can_write' result may be wrong. Consider updating the credential host to match the MR host or adjust the code.
- Token scope: The token may need 'api' scope to post comments (read_api is insufficient). Only grant the minimum scope you need and rotate tokens if shared.
- Review included scripts: The bundle contains Python code that makes network requests and reads your home config. Inspect the credential file contents and the scripts locally if you have concerns. The code does not appear to exfiltrate data to unexpected endpoints, but it will send diffs and comment payloads to the GitLab host derived from the MR URL.
- Test first: Run in a safe environment with a test token and test MR to confirm behavior (especially token check vs MR host) before pointing it at production repositories or using a high-privilege token.
If you can get the publisher to update the registry metadata to declare the required credentials/config path and fix the token-host check, that would increase confidence.
功能分析
Type: OpenClaw Skill
Name: gitlab-code-reviewer
Version: 1.0.2
The OpenClaw AgentSkills bundle is designed for GitLab MR code reviews. It reads necessary GitLab API credentials from `~/.openclaw/credentials/gitlab.json` and uses them to fetch MR data and post comments. The `SKILL.md` instructions explicitly guide the AI agent to perform token scope checks, restrict actions (e.g., no auto-approval, no labels), and use a dedicated script (`scripts/post_comments.py`) with a temporary JSON file for posting comments, specifically to avoid shell escaping issues with comment bodies. The Python scripts (`gitlab_client.py`, `ignore_matcher.py`, `post_comments.py`) use standard libraries, parse URLs with regex, and interact with the GitLab API without any evidence of data exfiltration, malicious execution (e.g., `eval`/`exec` of untrusted input), persistence mechanisms, or prompt injection attempts against the agent. The design includes safeguards and adheres to the stated purpose.
能力评估
Purpose & Capability
Name/description match the included code and instructions: the skill reads a GitLab token file, fetches MR diffs, filters, analyzes, and can post inline comments. However, the registry metadata did not declare the required credentials/config path (~/.openclaw/credentials/gitlab.json), which is a meaningful omission the user should know about.
Instruction Scope
Runtime instructions explicitly tell the agent to read credentials from ~/.openclaw/credentials/gitlab.json, fetch diffs from the MR host, and write temporary JSON to /tmp for posting comments. The code follows these instructions, but there is a functional mismatch: the token-scope check uses the host from the credentials file (creds['host']) while subsequent API calls use the host parsed from the MR URL. That can produce incorrect 'can_write' results when the token's host differs from the MR host. The instructions also rely on a credentials file that the registry metadata did not declare.
Install Mechanism
No install spec (instruction-only with associated scripts). Nothing is downloaded or written during install; the code files are included in the skill bundle. Risk from install mechanism itself is low.
Credentials
The skill requires access to a GitLab personal access token stored in ~/.openclaw/credentials/gitlab.json (token and host). This is proportionate to its purpose. The registry did not declare this config path as required, and the credential is a powerful secret (api scope enables comment posting) — the user should ensure the file is stored securely and only contains the intended token.
Persistence & Privilege
The skill does not request permanent 'always' installation and does not attempt to modify other skills or system-wide settings. It writes a temporary comments JSON to /tmp only when instructed to post comments (per SKILL.md).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install gitlab-code-reviewer - 安装完成后,直接呼叫该 Skill 的名称或使用
/gitlab-code-reviewer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Overhauled workflow to use new modular scripts: gitlab_client.py (API access), ignore_matcher.py (file filtering), and post_comments.py (posting review feedback).
- Adds comprehensive, step-by-step review process: credential check, diff fetch, ignore filtering, diff analysis, structured summary grouping, and conditional comment posting.
- Comment format, severity criteria, and review rules are now externalized in references/review-guidelines.md for consistency.
- Stronger engineering constraints: analyzes only diff changes, enforces strict ignore patterns, no generic praise, no speculative feedback.
- Removed old monolithic scripts (gitlab_code_review.py, diff_parser.py, security_scanner.py) in favor of single-responsibility modules.
- Now supports granular token capability detection and graceful error handling for API scope and diff-posting issues.
v1.0.1
- Added important clarification: the tool uses the GitLab API, not web pages; web scraping/login is unsupported.
- New troubleshooting section for common errors (login redirect, 401 Unauthorized, 404 Not Found) with solutions.
- Expanded guidance on proper usage and required authentication setup.
- No functional changes to the tool itself; documentation improvements only.
v1.0.0
Initial release of GitLab Code Reviewer—an automated, senior-level code review tool for GitLab merge requests.
- Analyzes MRs for security vulnerabilities, code quality issues, and best practices violations.
- Supports multiple languages including Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, YAML, and JSON.
- Can generate review comments and directly post them to GitLab or save reports locally.
- Configurable via credentials file or command-line arguments with flexible credential and ignore pattern handling.
- Offers clear review priorities: Critical, Major, and Minor, with a focus on assisting (not replacing) human reviewers.
元数据
常见问题
gitlab-code-reviewer 是什么?
Senior-level code review for GitLab merge requests. Use when: reviewing MRs, providing feedback on code quality, security, performance, maintainability, or p... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 386 次。
如何安装 gitlab-code-reviewer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install gitlab-code-reviewer」即可一键安装,无需额外配置。
gitlab-code-reviewer 是免费的吗?
是的,gitlab-code-reviewer 完全免费(开源免费),可自由下载、安装和使用。
gitlab-code-reviewer 支持哪些平台?
gitlab-code-reviewer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 gitlab-code-reviewer?
由 Alibek Beldinov(@neuyazvimyi)开发并维护,当前版本 v1.0.2。
推荐 Skills