OpenClaw Code Review

Automated code review assistant. Analyzes code changes, PRs, and files for quality issues, best practices, security concerns, and style violations. Provides...

Things to check before installing/using: - Inspect the rest of scripts/analyzer.py (the file was truncated in the bundle you provided). Look specifically for any of: network libraries (requests, urllib, socket, http.client, ftplib), subprocess or os.system calls that call curl/wget/nc, hardcoded remote endpoints, base64/exec/eval of downloaded data, or code that reads files outside the repository (e.g., /etc, home directory). If any are present, treat as high risk. - Confirm there are no commands that automatically POST or upload review reports to an external server (search for 'http', 'https', 'upload', 'post', 'requests', 'urllib', 'socket'). The roadmap mentions "PR 评论自动发布" but that feature is not implemented in SKILL.md; ensure it isn't implemented hidden in analyzer.py. - Since the tool reads repository files, avoid running it on repos that contain secrets or production credentials until you've verified it does not exfiltrate data. Run it first on a disposable/sandbox repo. - Because there's no source/homepage or owner reputation, prefer to run the code in a restricted environment (container or ephemeral VM) and/or vendor-lock it into your CI (so you control when it runs and which files it can access). - If you plan to add the pre-commit hook or CI workflow, update the hook path and review the hook/CI snippet to ensure it doesn't accidentally write credentials or outputs to public artifacts. Consider limiting the tool's scope (file globs) so it doesn't scan sensitive directories. - If you want higher assurance, ask the publisher for the full repository or verify with a reproducible build. If you cannot obtain the rest of analyzer.py source, do not run this on sensitive projects. If you share the full contents of scripts/analyzer.py (unsuppressed), I can re-check for network calls, obfuscated code, and any other red flags and raise the confidence of this assessment.

Type: OpenClaw Skill Name: openclaw-code-review Version: 1.0.0 The code-review skill bundle is a legitimate static analysis tool designed to identify quality, style, and security issues in Python and JavaScript code. It uses standard libraries (ast, re, subprocess) to perform checks for cyclomatic complexity, hardcoded secrets, and dangerous functions like eval(), and integrates with local Git commands to analyze staged changes or specific commits (scripts/analyzer.py, scripts/main.py). No evidence of data exfiltration, malicious execution, or prompt injection was found.