← Back to Skills Marketplace
anderskev

Axum Code Review

by Kevin Anderson · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ✓ Security Clean
178
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install axum-code-review
Description
Reviews axum web framework code for routing patterns, extractor usage, middleware, state management, and error handling. Use when reviewing Rust code that us...
README (SKILL.md)

Axum Code Review

Review Workflow

  1. Check Cargo.toml — Note axum version (0.6 vs 0.7+ have different patterns), Rust edition (2021 vs 2024), tower, tower-http features. Edition 2024 changes RPIT lifetime capture in handler return types and removes the need for async-trait in custom extractors.
  2. Check routing — Route organization, method routing, nested routers
  3. Check extractors — Order matters (body extractors must be last), correct types
  4. Check state — Shared state via State\x3CT>, not global mutable state
  5. Check error handlingIntoResponse implementations, error types

Gates (before reporting findings)

Run in order. Do not write a finding until the step that applies has passed.

  1. Version and edition on diskPass when: You have read the relevant Cargo.toml (crate or workspace root) and can state axum (and related tower/tower-http) versions and Rust edition. Then apply 0.6 vs 0.7+ or Edition 2024–specific checklist items only when that file supports them.

  2. Per-finding evidencePass when: Each issue cites [FILE:LINE] from the current tree for the handler, router, layer, or type under review (not from memory, docs-only, or another branch).

  3. Category check vs protocolPass when: For the finding type (routing conflict, extractor order, error leak, middleware order, etc.), you ran the matching checks from beagle-rust:review-verification-protocol (e.g. full handler signature for extractor order; surrounding error mapping before “raw error to client”). Then add the finding.

  4. Output shapePass when: The report lines match Output Format below (severity + description).

Output Format

Report findings as:

[FILE:LINE] ISSUE_TITLE
Severity: Critical | Major | Minor | Informational
Description of the issue and why it matters.

Quick Reference

Issue Type Reference
Route definitions, nesting, method routing references/routing.md
State, Path, Query, Json, body extractors references/extractors.md
Tower middleware, layers, error handling references/middleware.md

Review Checklist

Routing

  • Routes organized by domain (nested routers for /api/users, /api/orders)
  • Fallback handlers defined for 404s
  • Method routing explicit (.get(), .post(), not .route() with manual method matching)
  • No route conflicts (overlapping paths with different extractors)

Extractors

  • Body-consuming extractors (Json, Form, Bytes) are the LAST parameter
  • State\x3CT> requires T: Clone — typically Arc\x3CAppState> or direct Clone derive
  • Path\x3CT> parameter types match the route definition
  • Query\x3CT> fields are Option for optional query params with #[serde(default)]
  • Custom extractors implement FromRequestParts (not body) or FromRequest (body)
  • Edition 2024: Custom extractors use native async fn in trait impls (no #[async_trait] needed for FromRequest/FromRequestParts)

State Management

  • Application state shared via State\x3CT>, not global mutable statics
  • Database pool in state (not created per-request)
  • State contains only shared resources (pool, config, channels), not request-specific data
  • Clone derived or manually implemented on state type
  • Edition 2024: Shared static state uses LazyLock from std (not once_cell::sync::Lazy or lazy_static!)

Error Handling

  • Handler errors implement IntoResponse for proper HTTP error codes
  • Internal errors don't leak to clients (no raw error messages in 500 responses)
  • Error responses use consistent format (JSON error body with code/message)
  • Result\x3Cimpl IntoResponse, AppError> pattern used for handlers
  • Edition 2024: Handler return types -> impl IntoResponse capture all in-scope lifetimes by default; use + use\x3C> to opt out of capturing request lifetimes when returning owned data

Middleware

  • Tower layers applied in correct order (outer runs first on request, last on response)
  • tower-http used for common concerns (CORS, compression, tracing, timeout)
  • Request-scoped data passed via extensions, not global state
  • Middleware errors don't panic — they return error responses
  • Edition 2024: Middleware using #[async_trait] can migrate to native async fn in trait impls

Severity Calibration

Critical

  • Body extractor not last in handler parameters (silently consumes body, later extractors fail)
  • SQL injection via path/query parameters passed directly to queries
  • Internal error details leaked to clients (stack traces, database errors)
  • Missing authentication middleware on protected routes

Major

  • Global mutable state instead of State\x3CT> (race conditions)
  • Missing error type conversion (raw sqlx::Error returned to client)
  • Missing request timeout (handlers can hang indefinitely)
  • Route conflicts causing unexpected 405s
  • Edition 2024: async-trait still used for FromRequest/FromRequestParts when native async fn works

Minor

  • Manual route method matching instead of .get(), .post()
  • Missing fallback handler (default 404 is plain text, not JSON)
  • Middleware applied per-route when it should be global (or vice versa)
  • Missing tower-http::trace for request logging
  • Edition 2024: once_cell::sync::Lazy or lazy_static! used where std::sync::LazyLock works

Informational

  • Suggestions to use tower-http layers for common concerns
  • Router organization improvements
  • Suggestions to add OpenAPI documentation via utoipa or aide

Valid Patterns (Do NOT Flag)

  • #[axum::debug_handler] on handlers — Debugging aid that improves compile error messages
  • Extension\x3CT> for middleware-injected data — Valid pattern for request-scoped values
  • Returning impl IntoResponse from handlers — More flexible than concrete types
  • Router::new() per module, merged in main — Standard organization pattern
  • ServiceBuilder for layer composition — Tower pattern, not over-engineering
  • axum::serve with TcpListener — Standard axum 0.7+ server setup
  • Native async fn in FromRequest/FromRequestParts implsasync-trait crate no longer needed (stable since Rust 1.75)
  • + use\x3C'a> on handler return types — Edition 2024 precise capture syntax for RPIT
  • std::sync::LazyLock for shared static state — Replaces once_cell/lazy_static (stable since Rust 1.80)

Before Submitting Findings

Complete Gates (before reporting findings) and load beagle-rust:review-verification-protocol for category-specific checks before any issue is final.

Usage Guidance
This skill appears internally consistent: it expects to read the project tree (Cargo.toml and source files) and produce findings with [FILE:LINE] evidence. Before installing or running it, confirm you are comfortable granting the agent read access to any repository you want reviewed (it will need to inspect source files). Because it is instruction-only, no binaries are installed and no credentials are requested. If you need extra assurance, review a sample report the skill produces on non-sensitive code and verify the agent does not attempt to fetch external resources or expose secrets from the repository. If you want the reviewer to follow a different verification protocol, ensure the referenced 'beagle-rust:review-verification-protocol' is available to your agent or provide an explicit checklist.
Capability Assessment
Purpose & Capability
Name/description match the provided instructions and reference materials. The checks (Cargo.toml, routing, extractors, middleware, state, error handling) are exactly what an axum code-review helper would need.
Instruction Scope
SKILL.md instructs the agent to read repository files (Cargo.toml and source files) and produce file:line backed findings — this is expected for a source-code review. It does not ask to read unrelated system paths, environment variables, or send data to external endpoints. It references an external 'beagle-rust:review-verification-protocol' as a verification checklist, which is a documentation reference rather than an instruction to call out to a network service.
Install Mechanism
No install spec and no code files are included; instruction-only skills are lowest risk and nothing will be written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested. The skill's needs are minimal and proportional to performing a source review.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install axum-code-review
  3. After installation, invoke the skill by name or use /axum-code-review
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Adds explicit "Gates (before reporting findings)" section to clarify preconditions before reporting any issue, including evidence requirements and protocol checks. - Requires reviewers to verify axum version, edition, and cite each finding with current `[FILE:LINE]` evidence before submitting. - Clarifies that findings must be based on on-disk code and reference matching steps from `beagle-rust:review-verification-protocol`. - Tightens and documents the review/reporting workflow for improved accuracy and consistency.
v1.0.1
- Added Rust 2024 edition-specific guidance for axum reviews, covering native async trait impls and lifetime capture. - Expanded checklist for extractors, state, error handling, and middleware to highlight Rust 2024 edition patterns (e.g., LazyLock, use of native async fn, lifetime capture changes). - Updated major and minor severity categories with new issues relevant to Rust 2024 migration (e.g., continued use of async-trait, legacy Lazy usage). - Refreshed Valid Patterns section to include new Rust 1.75+ and 1.80+ idioms. - Minor clarifications in workflow and output formatting.
v1.0.0
Initial release focused on Axum web framework code review: - Reviews routing, extractor usage, middleware, state management, and error handling in axum, tower, or hyper-based services. - Supports axum 0.7+ with updated patterns for state and extractors. - Provides a step-by-step review workflow and structured output format. - Includes detailed checklists, severity calibration, and valid pattern clarifications. - References additional documentation for routing, extractors, and middleware. - Integrates with beagle-rust:review-verification-protocol before findings submission.
Metadata
Slug axum-code-review
Version 1.0.2
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 3
Frequently Asked Questions

What is Axum Code Review?

Reviews axum web framework code for routing patterns, extractor usage, middleware, state management, and error handling. Use when reviewing Rust code that us... It is an AI Agent Skill for Claude Code / OpenClaw, with 178 downloads so far.

How do I install Axum Code Review?

Run "/install axum-code-review" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Axum Code Review free?

Yes, Axum Code Review is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Axum Code Review support?

Axum Code Review is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Axum Code Review?

It is built and maintained by Kevin Anderson (@anderskev); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments