← Back to ClawMarket

OpenClaw Code Review Skill

A skill definition for automated code review powered by OpenClaw agents. Checks for bugs, security issues, and style violations with structured severity output.

Skilldevelopmentopenclawcode-reviewsecurityquality

by Build Ship Grow

openclaw-code-review-skill.md
markdown
---
name: code-review
runtime: openclaw/v1
description: Perform structured code review with severity-ranked findings
triggers:
  - /review
  - "review this PR"
  - "check this code"
inputs:
  - name: diff
    source: git.staged
    required: true
  - name: context
    source: repository.languages
    required: false
---

# Code Review Skill

Analyze code changes and produce actionable review feedback grouped by severity.

## Process

1. Parse the incoming diff to identify changed files and line ranges
2. Load file context — read surrounding code for each changed section
3. Run the review checklist against every changed block
4. Aggregate findings and rank by severity

## Review Checklist

### Critical — Must Fix Before Merge
- SQL injection, XSS, or authentication bypass
- Data loss risks: missing transactions, unchecked deletes
- Secrets or credentials committed in plaintext
- Broken error handling: swallowed exceptions, missing try/catch

### Warning — Should Fix
- N+1 queries or unbounded loops over collections
- Missing input validation on user-facing endpoints
- Hardcoded configuration that should use environment variables
- Race conditions in concurrent code paths

### Suggestion — Nice to Have
- Naming improvements for clarity
- Duplicated logic that could be extracted into a helper
- Missing or incomplete TypeScript types
- Opportunities to add unit test coverage

## Output Format

Return findings as a structured list:

```
[CRITICAL] src/auth.ts:42 — Password comparison uses == instead of timing-safe compare
  -> Use crypto.timingSafeEqual() to prevent timing attacks

[WARNING] src/api/users.ts:18 — No pagination on list endpoint
  -> Add limit/offset params with a max page size of 100

[SUGGESTION] src/utils.ts:7 — Function "proc" could be renamed to "processPayment"
  -> Descriptive names reduce cognitive load for future readers
```

## Rules
- Never approve code with Critical findings
- Limit suggestions to 5 per review to avoid noise
- Reference specific line numbers in every finding