← 返回 Skills 市场
pr-reviewer
作者
Brian Colinger
· GitHub ↗
· v1.0.1
7412
总下载
0
收藏
55
当前安装
2
版本数
在 OpenClaw 中安装
/install pr-reviewer
功能描述
Automated GitHub PR code review with diff analysis, lint integration, and structured reports. Use when reviewing pull requests, checking for security issues,...
安全使用建议
Install only if you are comfortable reviewing or patching the script first. Use least-privilege GitHub credentials, keep report paths inside the workspace, review generated markdown before running post, and avoid running it on untrusted PRs until filename handling is changed to pass data through stdin, JSON, or arguments instead of interpolating it into Python source.
功能分析
Type: OpenClaw Skill
Name: pr-reviewer
Version: 1.0.1
The OpenClaw skill `pr-reviewer` is designed for automated GitHub PR code review, utilizing `gh` CLI and Python. It is classified as suspicious due to critical vulnerabilities rather than malicious intent. Specifically, the `scripts/pr-review.sh` script allows arbitrary file writes if the `PR_REVIEW_STATE` or `PR_REVIEW_OUTDIR` environment variables are set to sensitive paths (e.g., `/etc/passwd`), as there is no path sanitization or restriction. Additionally, there is a potential for shell injection in the `run_local_lint` function, where filenames obtained from GitHub PRs are directly expanded into `ruff` and `golangci-lint` commands, which could lead to arbitrary command execution if a malicious actor crafts a PR with specially named files containing shell metacharacters. No evidence of intentional data exfiltration, persistence, or obfuscation was found.
能力评估
Purpose & Capability
Automated GitHub PR review, diff analysis, local linting, report generation, and optional PR commenting are coherent with the stated purpose.
Instruction Scope
Main actions are user-invoked, and posting is an explicit command, but the documentation references a different script path than the packaged file, which can confuse execution.
Install Mechanism
No hidden installer or persistence mechanism was found; declared runtime dependencies are gh and python3, with optional linters.
Credentials
The skill processes untrusted PR metadata and embeds PR-derived filenames into Python source passed to python3 -c, which is disproportionate for safe review automation and can create local code-execution risk.
Persistence & Privilege
It writes local state and markdown reports to documented, environment-configurable paths and can post to GitHub using the user's gh credentials when the user runs post; this is disclosed but should be tightly scoped.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pr-reviewer - 安装完成后,直接呼叫该 Skill 的名称或使用
/pr-reviewer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix security scan flags: declare runtime dependencies, document env vars and write paths
v1.0.0
Initial release — automated GitHub PR code review with diff analysis for Go, Python, and JS/TS. Security scanning, error handling checks, test coverage gaps, local lint integration, and structured markdown reports.
元数据
常见问题
pr-reviewer 是什么?
Automated GitHub PR code review with diff analysis, lint integration, and structured reports. Use when reviewing pull requests, checking for security issues,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 7412 次。
如何安装 pr-reviewer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pr-reviewer」即可一键安装,无需额外配置。
pr-reviewer 是免费的吗?
是的,pr-reviewer 完全免费(开源免费),可自由下载、安装和使用。
pr-reviewer 支持哪些平台?
pr-reviewer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 pr-reviewer?
由 Brian Colinger(@briancolinger)开发并维护,当前版本 v1.0.1。
推荐 Skills