← 返回 Skills 市场
pr-review-expert
作者
Alireza Rezvani
· GitHub ↗
· v1.0.0
· MIT-0
357
总下载
0
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install pr-review-expert
功能描述
PR Review Expert
安全使用建议
This skill is an instruction-only PR reviewer that uses local CLIs and runs tests. Before installing or running it: 1) Verify the agent environment has the expected tools (gh, glab, jq, grep, node/python runtimes) and understand that the skill did not declare them. 2) Never run repository tests on a host with sensitive data — run them in an isolated sandbox or CI runner because tests can execute arbitrary code and make network calls. 3) Ensure any GitHub/GitLab tokens the CLIs use are limited-scope and rotated. 4) Review the grep patterns and coverage rules to avoid false positives and accidental secret scanning/exfiltration. 5) If you prefer lower risk, require the skill to operate on a provided diff file (read-only) rather than executing tests or use a CI job to produce coverage artifacts which the skill can analyze.
功能分析
Type: OpenClaw Skill
Name: pr-review-expert
Version: 1.0.0
The skill provides a comprehensive framework for PR reviews but includes high-risk instructions such as executing local tests (`npm test`, `pytest`) on untrusted code and utilizing sensitive API tokens (`JIRA_API_TOKEN`, `LINEAR_API_KEY`) via shell commands in SKILL.md. While these capabilities are aligned with the stated purpose, the inherent risk of Remote Code Execution (RCE) from malicious pull requests and the handling of secrets in a shell environment warrant a suspicious classification.
能力评估
Purpose & Capability
The name/description align with the instructions: fetching PR diffs, scanning them, and producing review findings is expected. However, the SKILL.md assumes presence of gh, glab, jq, grep, npm, pytest, and test harnesses, but the registry metadata lists no required binaries or environment variables. This mismatch (implicit dependency on CLIs and auth) is notable.
Instruction Scope
Instructions perform local fetches of diffs, grep-based static checks, and explicitly run test commands (npm test, pytest) and coverage tools. Running repo tests can execute arbitrary repository code and trigger network/side effects; while relevant to thorough PR review, it increases risk and should be done only in a sandbox or CI environment. The instructions also read and write /tmp diffs and scan for secrets — those actions are in-scope but sensitive.
Install Mechanism
There is no install spec (instruction-only), which minimizes supply-chain risk. The trade-off is that the instructions depend on the agent environment having the necessary CLIs and language runtimes available.
Credentials
No environment variables or credentials are declared, which is good for limiting access. However, the SKILL.md implicitly expects authenticated gh/glab CLIs (which typically use stored tokens or config files). The skill does not request or document these credentials, so you must ensure appropriate, least-privilege tokens are available if the agent will call those CLIs.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not attempt to modify other skills or system-wide settings. It appears to be invoked only when called.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pr-review-expert - 安装完成后,直接呼叫该 Skill 的名称或使用
/pr-review-expert触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial publish
v2.1.1
v2.1.1: optimization, reference splits
元数据
常见问题
pr-review-expert 是什么?
PR Review Expert. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 357 次。
如何安装 pr-review-expert?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pr-review-expert」即可一键安装,无需额外配置。
pr-review-expert 是免费的吗?
是的,pr-review-expert 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
pr-review-expert 支持哪些平台?
pr-review-expert 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 pr-review-expert?
由 Alireza Rezvani(@alirezarezvani)开发并维护,当前版本 v1.0.0。
推荐 Skills