← Back to Skills Marketplace
779
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install astrai-code-review
Description
AI-powered code review with intelligent model routing — saves 40%+ vs always using the most expensive model
README (SKILL.md)
Astrai Code Review
AI-powered code review with intelligent model routing. Complex logic goes to powerful models. Formatting and style goes to fast, cheap ones. You save 40%+ without sacrificing quality.
What it does
- Smart routing for reviews: Astrai analyzes the diff complexity and routes to the optimal model. A gnarly concurrency bug gets Opus. A missing semicolon gets Haiku. You only pay for the intelligence you need.
- Structured output: Every review returns typed issues with file, line number, severity (critical/warning/info), message, and a concrete suggestion.
- Strictness modes: Standard catches bugs and logic errors. Strict adds style and best-practice checks. Security mode focuses on vulnerabilities, injection, auth, and data exposure.
- BYOK (Bring Your Own Keys): Your provider API keys stay with you. Astrai decides which model to use, then calls the provider using YOUR key. You pay providers directly.
- Cost tracking: Every review response includes the cost and how much you saved vs always using the most expensive model.
- Local-only mode: If you only set
ASTRAI_API_KEYwithout provider keys, Astrai uses its own hosted models. Still routed intelligently, still cheap.
Setup
- Get a free API key at as-trai.com
- Set
ASTRAI_API_KEYin your environment or skill config - Optionally add provider API keys for BYOK routing (e.g.
ANTHROPIC_API_KEY,OPENAI_API_KEY) - Run
/reviewon any diff or PR
Usage
/review Review the current diff (staged changes)
/review --strict Strict mode: bugs + style + best practices
/review --focus security Security-focused review (vulns, injection, auth)
/review --file src/auth.py Review a specific file
Examples
Basic review of staged changes:
/review
Returns issues found in the current diff with severity levels and suggestions.
Strict review for a PR:
/review --strict
Catches not just bugs but also style violations, naming issues, and missed best practices.
Security audit:
/review --focus security
Focuses on SQL injection, XSS, auth bypass, hardcoded secrets, insecure deserialization, and other vulnerability classes.
Environment Variables
| Variable | Required | Description | Default |
|---|---|---|---|
ASTRAI_API_KEY |
Yes | Your API key from as-trai.com | -- |
ANTHROPIC_API_KEY |
No | Anthropic key for BYOK routing | -- |
OPENAI_API_KEY |
No | OpenAI key for BYOK routing | -- |
GOOGLE_API_KEY |
No | Google key for BYOK routing | -- |
DEEPSEEK_API_KEY |
No | DeepSeek key for BYOK routing | -- |
MISTRAL_API_KEY |
No | Mistral key for BYOK routing | -- |
GROQ_API_KEY |
No | Groq key for BYOK routing | -- |
TOGETHER_API_KEY |
No | Together key for BYOK routing | -- |
FIREWORKS_API_KEY |
No | Fireworks key for BYOK routing | -- |
COHERE_API_KEY |
No | Cohere key for BYOK routing | -- |
PERPLEXITY_API_KEY |
No | Perplexity key for BYOK routing | -- |
REVIEW_STRICTNESS |
No | standard, strict, or security | standard |
External Endpoints
| Endpoint | Purpose | Data Sent |
|---|---|---|
https://as-trai.com/v1/chat/completions |
Code review inference via intelligent routing | Diff content, file context, review instructions |
Security & Privacy
- All requests authenticated via API key in the Authorization header
- Diffs are sent to the Astrai routing API, which forwards to the selected provider
- In BYOK mode, provider keys are sent via encrypted header (
X-Astrai-Provider-Keys) and never stored - No diffs, code, or review results are retained by Astrai after the request completes
- Source code is fully open: github.com/beee003/astrai-openclaw
Model Invocation
This skill sends code diffs to the Astrai routing API. The router classifies the review complexity and selects the best model:
- High complexity (concurrency, security, architecture): Routes to Claude Opus, GPT-4o, or Gemini Pro
- Medium complexity (logic errors, missing edge cases): Routes to Claude Sonnet, GPT-4o-mini, or Gemini Flash
- Low complexity (formatting, typos, naming): Routes to Claude Haiku, GPT-4o-mini, or Gemini Flash
Your prompts are processed by third-party LLM providers according to the routing decision. In BYOK mode, calls are made using your own provider API keys.
Pricing
Same as Astrai platform pricing:
- Free: 1,000 requests/day, smart routing, all strictness modes
- Pro ($49/mo): Unlimited requests, priority routing, analytics dashboard
- Business ($199/mo): Team dashboards, compliance exports, SLA guarantee
Usage Guidance
This skill appears to implement what it claims (an Astrai routing code-review proxy), but take these precautions before installing or providing keys:
- Only provide ASTRAI_API_KEY if you trust the Astrai service. The plugin will send diffs and review content to the configured Astrai endpoint.
- Do not provide your provider API keys (OpenAI/Anthropic/etc.) unless you explicitly trust Astrai to use them; the plugin will include them (JSON-encoded) in the X-Astrai-Provider-Keys header and transmit them to the Astrai endpoint. That gives Astrai the ability to act with those keys.
- Verify or lock ASTRAI_BASE_URL: the code honors ASTRAI_BASE_URL (defaults to https://as-trai.com). If you do not set this, it will use the documented host; if you set it, you could redirect the traffic to another server. The SKILL.md failed to document this env var. Do not change ASTRAI_BASE_URL unless you know what you are doing.
- The SKILL.md asserts keys are 'never stored' and headers are 'encrypted' — note the implementation relies on HTTPS (transport) and keeps keys only in memory; there is no code-level encryption/persistence shown. If you need stronger guarantees (e.g., zero knowledge), review the server-side behaviour and the Astrai privacy policy or avoid BYOK mode.
- If you want to minimize risk, use this in local-only mode (do not set provider keys) so Astrai will route to its hosted models via your ASTRAI_API_KEY, or avoid providing any provider keys and instead call providers yourself locally.
If you want a higher-confidence assessment, provide the remainder of plugin.py (the truncated portion) and confirm whether ASTRAI_BASE_URL or any logging/persistence code appears elsewhere.
Capability Analysis
Type: OpenClaw Skill
Name: astrai-code-review
Version: 1.0.0
The skill collects multiple sensitive API keys (e.g., ANTHROPIC_API_KEY, OPENAI_API_KEY) from the environment via `os.getenv()` in `plugin.py` (`_collect_provider_keys`). These keys are then transmitted in JSON format within the `X-Astrai-Provider-Keys` HTTP header to the external service `https://as-trai.com` (as seen in `plugin.py`'s `_build_headers` and `_call_astrai`). While this behavior is declared in `SKILL.md` as part of its 'BYOK' (Bring Your Own Keys) model, centralizing multiple critical credentials with a single third-party service poses a significant supply chain risk and potential for credential compromise if the external service is malicious or breached. This constitutes a high-risk data exfiltration vector, even if declared.
Capability Assessment
Purpose & Capability
The name/description (Astrai code review with model routing) aligns with the included plugin.py and the declared ASTRAI_API_KEY requirement. Optional provider keys (OpenAI, Anthropic, etc.) are expected for BYOK routing and are present in the code's PROVIDER_KEY_MAP.
Instruction Scope
The plugin reads an environment variable ASTRAI_BASE_URL to override the API base URL, but ASTRAI_BASE_URL is not declared in the SKILL.md environment table. The SKILL.md claims diffs are sent to as-trai.com; the code allows directing requests to any URL via ASTRAI_BASE_URL, which is an undocumented but powerful override.
Install Mechanism
There is no install spec and the skill is instruction-only plus a single plugin.py file. Nothing is downloaded from an external or arbitrary URL during install.
Credentials
The skill requires ASTRAI_API_KEY and optionally collects many provider API keys for BYOK. The plugin gathers these provider keys from the environment and sends them in an HTTP header (X-Astrai-Provider-Keys) to the Astrai routing endpoint. Sending full provider API keys to a third party is a sensitive, high-privilege action; the SKILL.md promises keys are 'never stored' and sent in an 'encrypted header' but the code simply JSON-encodes them into a header (relying on HTTPS for transport protection) and keeps them in memory during the session.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills, and keeps tracking counters in memory. It does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with other excessive privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install astrai-code-review - After installation, invoke the skill by name or use
/astrai-code-review - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: AI-powered code review with intelligent model routing
Metadata
Frequently Asked Questions
What is Astrai Code Review?
AI-powered code review with intelligent model routing — saves 40%+ vs always using the most expensive model. It is an AI Agent Skill for Claude Code / OpenClaw, with 779 downloads so far.
How do I install Astrai Code Review?
Run "/install astrai-code-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Astrai Code Review free?
Yes, Astrai Code Review is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Astrai Code Review support?
Astrai Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Astrai Code Review?
It is built and maintained by beee003 (@beee003); the current version is v1.0.0.
More Skills