← 返回 Skills 市场
Liveview Code Review
作者
Kevin Anderson
· GitHub ↗
· v1.2.1
· MIT-0
175
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install liveview-code-review
功能描述
Reviews Phoenix LiveView code for lifecycle patterns, assigns/streams usage, components, and security. Use when reviewing LiveView modules, .heex templates,...
使用说明 (SKILL.md)
LiveView Code Review
Quick Reference
| Issue Type | Reference |
|---|---|
| mount, handle_params, handle_event, handle_async | references/lifecycle.md |
| When to use assigns vs streams, AsyncResult | references/assigns-streams.md |
| Function vs LiveComponent, slots, attrs | references/components.md |
| Authorization per event, phx-value trust | references/security.md |
Review Checklist
Critical Issues
- No socket copying into async functions (extract values first)
- Every handle_event validates authorization
- No sensitive data in assigns (visible in DOM)
- phx-value data is validated (user-modifiable)
Lifecycle
- Subscriptions wrapped in
connected?(socket) - handle_params used for URL-based state
- handle_async handles :loading and :error states
Data Management
- Streams used for large collections (100+ items)
- temporary_assigns for data not needed after render
- AsyncResult patterns for loading states
Components
- Function components preferred over LiveComponents
- LiveComponents preserve :inner_block in update/2
- Slots use proper attr declarations
- phx-debounce on text inputs
Valid Patterns (Do NOT Flag)
- Empty mount returning {:ok, socket} - Valid for simple LiveViews
- Using assigns for small lists - Streams only needed for 100+ items
- LiveComponent without update/2 - Default update/2 assigns all
- phx-click without phx-value - Event may not need data
- Inline function in heex - Valid for simple transforms
Context-Sensitive Rules
| Issue | Flag ONLY IF |
|---|---|
| Missing debounce | Input is text/textarea AND triggers server event |
| Use streams | Collection has 100+ items OR is paginated |
| Missing auth check | Event modifies data AND no auth in mount |
Critical Anti-Patterns
Socket Copying (MOST IMPORTANT)
# BAD - socket copied into async function
def handle_event("load", _, socket) do
Task.async(fn ->
user = socket.assigns.user # Socket copied!
fetch_data(user.id)
end)
{:noreply, socket}
end
# GOOD - extract values first
def handle_event("load", _, socket) do
user_id = socket.assigns.user.id
Task.async(fn ->
fetch_data(user_id) # Only primitive copied
end)
{:noreply, socket}
end
Missing Authorization
# BAD - trusts phx-value without auth
def handle_event("delete", %{"id" => id}, socket) do
Posts.delete_post!(id) # Anyone can delete any post!
{:noreply, socket}
end
# GOOD - verify authorization
def handle_event("delete", %{"id" => id}, socket) do
post = Posts.get_post!(id)
if post.user_id == socket.assigns.current_user.id do
Posts.delete_post!(post)
{:noreply, stream_delete(socket, :posts, post)}
else
{:noreply, put_flash(socket, :error, "Unauthorized")}
end
end
Hard gates (sequence)
Advance only when each pass condition is objectively true (prevents reporting without evidence):
| Gate | Pass condition |
|---|---|
| G1 — Files in evidence | You have an explicit list of paths under review (e.g. *.ex, *.heex, or the paths the user named). Every finding names a file from that list. |
| G2 — Verification protocol | You loaded review-verification-protocol and applied its Pre-Report Verification (and issue-type sections where relevant) before treating something as a finding. |
| G3 — Line anchors | Each finding uses [FILE:LINE] where that line exists in the current file (confirmed by read/grep output, not inferred). |
| G4 — Valid-pattern screen | You checked the finding against Valid Patterns (Do NOT Flag) and Context-Sensitive Rules; if it matches a “do not flag” case or fails a “Flag ONLY IF,” you do not report it. |
Issue format
Use [FILE:LINE] ISSUE_TITLE for each finding.
安全使用建议
This instruction-only skill appears to be a legitimate LiveView review checklist and carries low technical risk (no installs or secrets). However: (1) the SKILL.md requires loading a separate 'review-verification-protocol' file that is not included — ask the publisher where that document lives or whether it will be provided at runtime; (2) the hard gating (file lists and [FILE:LINE] anchors) means the skill expects explicit repository/file access — ensure you only invoke it on the files you intend to review; (3) because the skill runs as an agent instruction, confirm who/what will provide the files (you or the agent) and that the agent won't be granted access to unrelated repositories or workspace files. If the missing verification doc is supplied and you provide a limited set of files to review, the skill is coherent; if not, treat the gating and missing reference as a red flag and request the missing artifact or a clarifying update from the owner before installing.
能力评估
Purpose & Capability
Name/description (LiveView code review) aligns with the provided checklist and reference docs. No binaries, env vars, or installs are requested — appropriate for an instruction-only review skill.
Instruction Scope
SKILL.md expects the agent to operate on explicit file lists and to follow four hard gates. Gate G2 requires loading ../review-verification-protocol/SKILL.md (Pre-Report Verification) before reporting, but that file is not present in the skill manifest. The gates also mandate reading files and using exact [FILE:LINE] anchors — reasonable for code review but these requirements may be unsatisfiable or cause the agent to look elsewhere for missing docs.
Install Mechanism
No install spec and no code files beyond reference docs. Instruction-only format has low installation risk (nothing written to disk by the skill itself).
Credentials
No environment variables, credentials, or config paths are requested and the instructions do not reference any secret/environment variables. Proportional to the stated purpose.
Persistence & Privilege
always:false and normal agent invocation settings. The skill does not request persistent system presence or modify other skills' configs. Note: autonomous invocation is platform-default but not combined here with broad privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install liveview-code-review - 安装完成后,直接呼叫该 Skill 的名称或使用
/liveview-code-review触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.1
- Added a "Hard gates (sequence)" section defining strict preconditions for reporting findings.
- Specified objective "pass conditions" for each gate, such as file evidence, protocol verification, line anchors, and valid pattern screening.
- Moved the issue format into a dedicated section at the end for clarity.
v1.2.0
- Revamped SKILL.md with clear quick references for lifecycle, assigns/streams, components, and security review.
- Added concise review checklist covering critical issues, lifecycle, data management, and component best practices.
- Provided explicit examples of valid patterns (to avoid false positives).
- Updated context-sensitive rules and anti-patterns (emphasizing socket copying and authorization checks).
- Introduced a standardized format for submitting findings and referenced the review verification protocol.
元数据
常见问题
Liveview Code Review 是什么?
Reviews Phoenix LiveView code for lifecycle patterns, assigns/streams usage, components, and security. Use when reviewing LiveView modules, .heex templates,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 175 次。
如何安装 Liveview Code Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install liveview-code-review」即可一键安装,无需额外配置。
Liveview Code Review 是免费的吗?
是的,Liveview Code Review 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Liveview Code Review 支持哪些平台?
Liveview Code Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Liveview Code Review?
由 Kevin Anderson(@anderskev)开发并维护,当前版本 v1.2.1。
推荐 Skills