← 返回
未分类 中文

Code Reviewer

Automated code review for pull requests and code snippets. Analyzes code quality, security vulnerabilities, performance issues, and best practices across Pyt...
自动审查拉取请求和代码片段,分析代码质量、安全漏洞、性能问题及最佳实践(适用于 Python)。
ericlooi504 ericlooi504 来源
未分类 clawhub v1.0.0 1 版本 100000 Key: 无需
★ 0
Stars
📥 273
下载
💾 0
安装
1
版本
#latest

概述

Code Reviewer

Automated code review analysis for quality, security, performance, and best practices.

When to Use

USE this skill when:

  • "Review this code for bugs"
  • "Check my PR before I submit it"
  • "Is there any security issue in this function?"
  • "Can you optimize this code?"
  • "Review this git diff"
  • "Does this follow [language] best practices?"
  • "Compare these two implementations"

DON'T use this skill when:

  • Need full test suite generation → use a testing skill
  • Need architectural design review → use architecture skills
  • Need deployment pipeline review → use CI/CD skills
  • The code is proprietary/sensitive and shouldn't be shared

Review Checklist

For every code review, the agent checks in this order:

1. 🔴 Critical (must fix)

CheckWhat to look for
------------------------
SQL InjectionString concatenation in queries, unescaped user input
XSSUnsanitized output in HTML/templates, dangerouslySetInnerHTML
Command Injectionos.system(), exec(), subprocess(shell=True) with user input
Path Traversal../../ in file paths, unsanitized filenames
Sensitive DataHardcoded API keys, passwords, tokens, secrets
Unvalidated InputMissing type checks, no boundary validation on arrays/buffers

2. 🟡 Important (should fix)

CheckWhat to look for
------------------------
Null/UndefinedMissing null checks, no Optional/Maybe wrapping
Error HandlingBare except:, swallowed exceptions, no error context
Race ConditionsShared state without locks, async without mutexes
Resource LeaksUnclosed files, connections, handles
Type SafetyImplicit casts, any types, missing generics
Dead CodeUnused variables, imports, unreachable branches

3. 🟢 Nice to have

CheckWhat to look for
------------------------
NamingVague names (data, tmp, foo), inconsistent casing
CommentsStale/no comments, commented-out code
DuplicationRepeated logic that should be a function
LoggingMissing context in log messages, wrong log level
TestsMissing edge cases, no test for the change

Workflow

Step 1: Accept Input

The agent accepts code in these forms:

  • Pasted code block: "Review this function: \\\`python ..."
  • File path: "Review src/app.js"
  • Git diff: "Review my uncommitted changes" → runs git diff
  • GitHub PR URL: "Review https://github.com/user/repo/pull/42"
  • Branch comparison: "Review changes between main and feature-branch"

Step 2: Analyze

For each code segment:

  1. Identify the language and framework
  2. Run the checklist above
  3. Cross-reference common anti-patterns for the language
  4. Check for performance traps (N+1 queries, O(n²) in loops, etc.)

Step 3: Report

Present findings in order of severity with:

## 🔴 Critical
- [Line 42] SQL Injection: f-string used in SQL query. Use parameterized queries.

## 🟡 Important
- [Line 15] Missing null check: `user.getName()` may throw if user is None

## 🟢 Suggestion
- [Line 88] Duplicate logic with lines 12-20 — extract to helper function

Step 4: Offer Fixes (Optional)

The agent can:

  • Show the fix inline
  • Generate a patch file
  • Apply changes directly (with confirmation)

Language-Specific Rules

Python

  • Prefer f-strings over .format() or %
  • Use with for resource management
  • Type hints on function signatures
  • List comprehensions over map/filter
  • Avoid mutable default arguments

JavaScript / TypeScript

  • const over let, never var
  • Prefer early returns over nested ifs
  • Use === not ==
  • Async/await over raw promises
  • Avoid any in TypeScript

Java

  • Use Optional over null returns
  • Prefer try-with-resources
  • Favor composition over inheritance
  • Use interface types, not concrete types

Go

  • Always check errors
  • Use go fmt conventions
  • Prefer defer for cleanup
  • Avoid global state

Shell / Bash

  • Quote all variable expansions
  • Use set -euo pipefail in scripts
  • Prefer [[ ]] over [ ]
  • Avoid parsing ls output

Examples

> User: "Review this Python function" + code block

> Agent: Runs checklist → finds SQL injection. Reports 🔴 Critical with fix

>

> User: "Check my current git diff"

> Agent: Runs git diff, reviews changes, lists findings

>

> User: "Is this TypeScript safe?" + code block

> Agent: Checks types, null safety, anti-patterns → 🟡 reports any misuse

Notes

  • For large PRs, focus on changed lines only
  • Flag false positives transparently
  • If a file is too large, review the most critical areas first

版本历史

共 1 个版本

  • v1.0.0 当前
    2026-05-08 03:49 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

dev-programming

Github

steipete
使用 `gh` CLI 与 GitHub 交互,通过 `gh issue`、`gh pr`、`gh run` 和 `gh api` 管理议题、PR、CI 运行及高级查询。
★ 687 📥 331,380
dev-programming

YouTube

byungkyu
使用托管OAuth集成YouTube Data API,支持搜索视频、管理播放列表、获取频道数据及评论互动,适用于用户需要时使用此技能。
★ 142 📥 42,165
dev-programming

Mcporter

steipete
使用 mcporter CLI 直接列出、配置、认证及调用 MCP 服务器/工具(支持 HTTP 或 stdio),涵盖临时服务器、配置编辑及 CLI/类型生成功能。
★ 198 📥 68,293