← 返回 Skills 市场
44
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install taku-review
功能描述
Use after implementation is complete. Triggers after /taku-build. Analyzes diffs for security issues, bugs, and code quality. Run when asked to "review this"...
使用说明 (SKILL.md)
\r \r
Taku Review - Delivery Gate\r
\r
Review decides whether the change can ship. It is not a long critique and it is\r
not a nit collector.\r
\r
Rule labels: [IRON LAW] means a non-negotiable correctness constraint. [GUIDANCE] means a strong default that may adapt when context justifies it.\r
\r
[IRON LAW] Hard stops come before concerns. Do not bury a blocking delivery\r
failure under style comments.\r
\r
Review Contract\r
\r Read the current diff against the base branch or, when there is no remote diff,\r the local dirty diff. Then output exactly three sections:\r \r
HARD STOPS\r
- [none | blocking finding list]\r
\r
CONCERNS\r
- [none | non-blocking risks worth fixing or noting]\r
\r
SUMMARY\r
- Changed files: [...]\r
- Verification evidence: [...]\r
- Scope/spec status: clean | drift | requirements missing | unknown\r
- Residual risk: none | [...]\r
- Status: DONE | BLOCKED | DONE_WITH_CONCERNS\r
```\r
\r
Use `BLOCKED` whenever a hard stop exists. Use `DONE_WITH_CONCERNS` only when\r
remaining issues are non-blocking and explicitly listed.\r
\r
## Step 1: Detect Base and Diff\r
\r
Run the repo-appropriate equivalent of:\r
\r
```bash\r
git remote get-url origin 2>/dev/null\r
git branch --show-current\r
git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's|refs/remotes/origin/||'\r
git status --short\r
git diff --stat\r
```\r
\r
If on the base branch with no local diff, stop cleanly:\r
\r
```text\r
HARD STOPS\r
- none\r
\r
CONCERNS\r
- none\r
\r
SUMMARY\r
- Changed files: []\r
- Verification evidence: not applicable; no diff\r
- Scope/spec status: clean\r
- Residual risk: none\r
- Status: DONE\r
```\r
\r
Do not invent findings when no code changed.\r
\r
## Step 2: Reconstruct Intent\r
\r
Read the strongest available intent source:\r
\r
- Build ledger from `/taku-build`\r
- `PLAN.md`\r
- approved Quick mini design\r
- `DESIGN.md`\r
- user request in the current session\r
- commit messages\r
\r
Then compare intent to delivered changes.\r
\r
Hard stops:\r
\r
- **Scope drift:** unrelated files, behavior, or refactors not approved.\r
- **Missing requirement:** approved behavior absent from the diff.\r
- **Unapproved deviation:** Build recorded a deviation that was not approved.\r
\r
Approved deviations are not hard stops, but must be listed in `SUMMARY`.\r
\r
## Step 3: Check Verification Evidence\r
\r
Review the observed evidence, not confidence statements.\r
\r
Hard stops:\r
\r
- The implementation claims completion but no test/build/lint/manual command\r
evidence is visible.\r
- Verification output is stale or from before the relevant code changed.\r
- Required TDD anchor or reproduction check is missing.\r
\r
If evidence is unavailable because the repo has no harness, say what was used\r
instead. Do not claim tests passed unless output or explicit user evidence shows\r
that.\r
\r
## Step 4: Critical Pattern Pass\r
\r
Read the full diff before commenting. Search for production-risk patterns:\r
\r
- SQL/query injection from string-built user input\r
- Prompt injection or unvalidated LLM output crossing a trust boundary\r
- Missing auth checks or overly broad permissions\r
- Conditional side effects hidden in ternaries, short-circuits, or optional chaining\r
- Race conditions, shared mutable state, or non-atomic read/modify/write\r
- Resource leaks that can exhaust connections, files, streams, or listeners\r
\r
High-confidence critical/security bugs are hard stops. Apply a fix directly\r
only when the correct change is clear from local context. Otherwise provide the\r
smallest safe recommendation and keep status `BLOCKED`.\r
\r
## Step 5: Concern Pass\r
\r
Only after hard stops are handled, list non-blocking risks:\r
\r
- error paths that degrade behavior but do not block shipping\r
- weak type/null handling with bounded blast radius\r
- missing cleanup where impact is limited\r
- maintainability issues that make a follow-up risky\r
\r
Skip nit floods. If a style pattern matters, mention it once.\r
\r
## Auto-Fix Policy\r
\r
- Auto-fix Critical and Important findings when the fix is clear and locally\r
verifiable.\r
- After an auto-fix, run the smallest relevant verification.\r
- Do not commit, push, or open a PR.\r
- Do not mix review with broad refactoring.\r
\r
## Output Rules\r
\r
- `HARD STOPS` must appear first.\r
- Every hard stop needs a file/line or artifact reference when available.\r
- `SUMMARY` must include changed files, verification evidence, residual risk,\r
and status.\r
- If Review finds scope drift, missing requirements, or missing verification,\r
status is `BLOCKED` until fixed or explicitly approved by the user.\r
\r
## Known Pitfalls\r
\r
**Nit flood hides the real issue.** A review produced 40 style comments and one\r
SQL injection finding. The developer fixed the easy comments and missed the\r
security bug.\r
\r
Prevention: hard stops first; concerns second; style notes only when they change\r
delivery risk.\r
\r
**Review accepts a build summary as evidence.** The summary said "tests pass",\r
but no command output was visible.\r
\r
Prevention: completion claims need observed command output, diff evidence, or\r
explicit user-provided evidence.\r
\r
**Scope drift looks like cleanup.** A task approved `--json` output, but the diff\r
also rewrote command discovery.\r
\r
Prevention: reconstruct intent before code-quality review. Good code outside\r
scope is still a delivery failure.\r
安全使用建议
This skill appears safe for its intended purpose. Before installing, understand that it may run local repository commands and may make scoped code edits for clear important findings; keep your work under git and review any changes before merging.
功能分析
Type: OpenClaw Skill
Name: taku-review
Version: 1.0.0
The 'taku-review' skill is a legitimate code review utility designed to analyze git diffs for security vulnerabilities and quality issues. In SKILL.md, it defines a structured process for identifying risks like SQL injection and prompt injection while explicitly forbidding the agent from committing or pushing changes. The use of Bash and file tools is strictly scoped to repository analysis and local auto-fixes, showing no signs of malicious intent or data exfiltration.
能力评估
Purpose & Capability
The stated purpose is reviewing implementation diffs before shipping, and the requested Bash/read/search/edit tools fit that purpose. Users should still notice that the skill can modify local files when it auto-fixes clear issues.
Instruction Scope
The instructions are scoped to the current repo diff and include limits such as no commits, pushes, PRs, or broad refactoring. Auto-fix behavior is disclosed and bounded to clear Critical/Important findings.
Install Mechanism
There is no install spec, no package dependency, and no code helper to execute; this is an instruction-only skill.
Credentials
Reading git status/diffs and running verification commands is proportionate for a review gate, but it can inspect local repository content and run local project commands.
Persistence & Privilege
The artifacts show no credentials, background persistence, privilege escalation, network endpoints, commits, pushes, or PR creation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install taku-review - 安装完成后,直接呼叫该 Skill 的名称或使用
/taku-review触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of taku-review, a concise code review and delivery gate tool.
`/taku-review` reads the actual diff, checks base branch drift, and looks for failure patterns tests often miss: unsafe query construction, trust-boundary mistakes, conditional side effects, missing error handling, and scope drift.
- Analyzes code diffs for security issues, bugs, and code quality after implementation is complete.
- Distinguishes between blocking (hard stops) and non-blocking (concerns) findings.
- Compares delivered changes to approved intent and requirements.
- Requires visible verification evidence (tests, build output) before approving changes.
- Flags risks like injection vulnerabilities, missing auth, races, and resource leaks.
- Provides a structured, three-section output: HARD STOPS, CONCERNS, and SUMMARY.
元数据
常见问题
Taku Review 是什么?
Use after implementation is complete. Triggers after /taku-build. Analyzes diffs for security issues, bugs, and code quality. Run when asked to "review this"... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 44 次。
如何安装 Taku Review?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install taku-review」即可一键安装,无需额外配置。
Taku Review 是免费的吗?
是的,Taku Review 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Taku Review 支持哪些平台?
Taku Review 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Taku Review?
由 KennyWu(@kkenny0)开发并维护,当前版本 v1.0.0。
推荐 Skills