← 返回 Skills 市场
843
总下载
0
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install pr-review-loop
功能描述
Autonomous PR review loop with Greptile. Use when an agent creates a PR and needs to autonomously handle code review feedback — reading Greptile reviews, fixing issues, pushing fixes, re-triggering review, and auto-merging when score is 4/5+. Trigger on commands like "pr review {url}", "review my PR", or when a Greptile review webhook/poll delivers feedback.
安全使用建议
Before installing: 1) Confirm that the agent environment will have gh (GitHub CLI), git, jq, and flock available; the skill does not declare these dependencies. 2) Carefully plan GitHub credentials: the skill needs an authenticated identity with push/merge rights — only grant the minimum scopes and prefer a repo-scoped service account or installation token. 3) Decide and enforce merge policy: the script auto-merges on heuristics (score≥4, or force-merge after 5 rounds or same score repeats) — if you want human approval for merges or architectural changes, disable autonomous merges or require escalation. 4) Provide/inspect escalation channels: SKILL.md mentions Telegram but provides no auth mechanism; clarify how alerts are sent and what credentials are involved. 5) Test in a sandbox repository first to ensure behavior matches expectations. 6) If the skill owner is unknown/trust is low, consider requiring manual invocation only (do not allow autonomous invocation) or review the code thoroughly. Additional information that would raise confidence to 'benign': explicit declared runtime requirements (binaries and env vars), a known/trusted source, and clear, limited GitHub token scope and an audited escalation mechanism.
功能分析
Type: OpenClaw Skill
Name: pr-review-loop
Version: 1.0.0
The skill is designed to perform highly privileged actions, including merging pull requests and pushing code to repositories, using `gh` and `git` commands as instructed in `SKILL.md`. The `scripts/pr-review-loop.sh` script directly interpolates user-controlled arguments (`REPO`, `PR`) into `gh api` commands, which presents a potential shell injection vulnerability if the `gh` CLI or the shell's argument parsing is not robust against specially crafted input. While these actions are central to the skill's stated purpose, they represent significant risk and potential for abuse if the agent is compromised or prompted maliciously. There is no clear evidence of intentional data exfiltration, persistence, or other malicious activities within the provided files.
能力评估
Purpose & Capability
The skill's stated purpose (autonomously reading Greptile reviews, applying fixes, pushing, re-triggering reviews, and merging) matches the SKILL.md and the included script. However, the package metadata declares no required binaries or credentials even though the workflow and scripts clearly rely on gh (GitHub CLI), git, jq, grep/flock and an authenticated GitHub identity capable of pushing/merging. This omission is an incoherence that affects safety decisions.
Instruction Scope
SKILL.md and the script instruct the agent to read files/lines referenced by reviewer comments, modify code, commit, push, and auto-merge under heuristics (including force_merge after max rounds). That behavior is within the stated purpose but grants broad autonomous write/merge authority and discretionary fixes. The doc also says to 'ping Master on Telegram' for escalations but provides no mechanism or declared credentials for doing so.
Install Mechanism
There is no install spec (instruction-only + small script), which is lower risk from arbitrary downloads. However, required runtime tools (gh, jq, git, flock) are expected but not declared or installed; the skill assumes they exist on PATH.
Credentials
The skill implicitly requires a GitHub-authenticated environment (GH CLI auth or GITHUB_TOKEN) with push/merge rights for target repos, but no required env vars or primary credential are declared. It also references Telegram for escalation without declaring how to authenticate. Requesting or expecting high-privilege repo credentials without declaring them is disproportionate and should be made explicit.
Persistence & Privilege
always:false (good). The skill stores review-state.json in the workspace (benign). Nevertheless, its runtime operations (commits, pushes, merges, branch deletion) require significant repository privileges; consider restricting tokens/scopes and human oversight for architectural/force-merge cases.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pr-review-loop - 安装完成后,直接呼叫该 Skill 的名称或使用
/pr-review-loop触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Autonomous Greptile PR review loop: auto-fix, auto-merge at 4/5+, round tracking, escalation for architectural decisions
元数据
常见问题
PR Review Loop 是什么?
Autonomous PR review loop with Greptile. Use when an agent creates a PR and needs to autonomously handle code review feedback — reading Greptile reviews, fixing issues, pushing fixes, re-triggering review, and auto-merging when score is 4/5+. Trigger on commands like "pr review {url}", "review my PR", or when a Greptile review webhook/poll delivers feedback. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 843 次。
如何安装 PR Review Loop?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pr-review-loop」即可一键安装,无需额外配置。
PR Review Loop 是免费的吗?
是的,PR Review Loop 完全免费(开源免费),可自由下载、安装和使用。
PR Review Loop 支持哪些平台?
PR Review Loop 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PR Review Loop?
由 Cem S(@cemoso)开发并维护,当前版本 v1.0.0。
推荐 Skills