# Send Code Review Engine to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "afrexai-code-reviewer", "name": "Code Review Engine", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/1kalin/afrexai-code-reviewer", "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-code-reviewer", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/afrexai-code-reviewer", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-code-reviewer", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "README.md", "SKILL.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "afrexai-code-reviewer", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-01T22:36:58.117Z", "expiresAt": "2026-05-08T22:36:58.117Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-code-reviewer", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-code-reviewer", "contentDisposition": "attachment; filename=\"afrexai-code-reviewer-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "afrexai-code-reviewer" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/afrexai-code-reviewer" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/afrexai-code-reviewer", "downloadUrl": "https://openagent3.xyz/downloads/afrexai-code-reviewer", "agentUrl": "https://openagent3.xyz/skills/afrexai-code-reviewer/agent", "manifestUrl": "https://openagent3.xyz/skills/afrexai-code-reviewer/agent.json", "briefUrl": "https://openagent3.xyz/skills/afrexai-code-reviewer/agent.md" } } ``` ## Documentation ### Code Review Engine Enterprise-grade automated code review. Works on GitHub PRs, local diffs, pasted code, or entire files. No dependencies — pure agent intelligence. ### Review a GitHub PR Review PR #42 in owner/repo ### Review a local diff Review the staged changes in this repo ### Review a file Review src/auth/login.ts for security issues ### Review pasted code Just paste code and say "review this" ### Review Framework: SPEAR Every review follows the SPEAR framework — 5 dimensions, each scored 1-10: ### 🔴 S — Security (Weight: 3x) CheckSeverityExampleHardcoded secretsCRITICALAPI keys, passwords, tokens in sourceSQL injectionCRITICALString concatenation in queriesXSS vectorsHIGHUnsanitized user input in HTML/DOMPath traversalHIGHUser input in file paths without validationInsecure deserializationHIGHeval(), pickle.loads(), JSON.parse on untrusted inputAuth bypassCRITICALMissing auth checks on endpointsSSRFHIGHUser-controlled URLs in server requestsTiming attacksMEDIUMNon-constant-time string comparison for secretsDependency vulnerabilitiesMEDIUMKnown CVEs in imported packagesSensitive data loggingMEDIUMPII, tokens, passwords in log outputInsecure randomnessMEDIUMMath.random() for security-sensitive valuesMissing rate limitingMEDIUMAuth endpoints without throttling ### 🟡 P — Performance (Weight: 2x) CheckSeverityExampleN+1 queriesHIGHDB call inside a loopUnbounded queriesHIGHSELECT * without LIMIT on user-facing endpointsMissing indexes (implied)MEDIUMFrequent WHERE/ORDER on unindexed columnsMemory leaksHIGHEvent listeners never removed, growing cachesBlocking main threadHIGHSync I/O in async context, CPU-heavy in event loopUnnecessary re-rendersMEDIUMReact: missing memo, unstable refs in depsLarge bundle importsMEDIUMimport _ from 'lodash' vs import get from 'lodash/get'Missing paginationMEDIUMReturning all records to clientRedundant computationLOWSame expensive calc repeated without cachingConnection pool exhaustionHIGHNot releasing DB/HTTP connections ### 🟠 E — Error Handling (Weight: 2x) CheckSeverityExampleSwallowed errorsHIGHEmpty catch blocks, Go _ := on errorMissing error boundariesMEDIUMReact components without error boundariesUnchecked null/undefinedHIGHNo null checks before property accessMissing finally/cleanupMEDIUMResources opened but not guaranteed closedGeneric error messagesLOWcatch(e) { throw new Error("something went wrong") }Missing retry logicMEDIUMNetwork calls without retry on transient failuresPanic/exit in library codeHIGHpanic(), os.Exit(), process.exit() in non-mainUnhandled promise rejectionsHIGHAsync calls without .catch() or try/catchError type conflationMEDIUMAll errors treated the same (4xx vs 5xx, retriable vs fatal) ### 🔵 A — Architecture (Weight: 1.5x) CheckSeverityExampleGod functions (>50 lines)MEDIUMSingle function doing too many thingsGod files (>300 lines)MEDIUMMonolithic moduleTight couplingMEDIUMDirect DB calls in request handlersMissing abstractionLOWRepeated patterns that should be extractedCircular dependenciesHIGHA imports B imports AWrong layerMEDIUMBusiness logic in controllers, SQL in UIMagic numbers/stringsLOWHardcoded values without named constantsMissing typesMEDIUMany in TypeScript, missing type hints in PythonDead codeLOWUnreachable branches, unused imports/variablesInconsistent patternsLOWDifferent error handling styles in same codebase ### 📊 R — Reliability (Weight: 1.5x) CheckSeverityExampleMissing tests for changesHIGHNew logic without corresponding testTest qualityMEDIUMTests that only check happy pathMissing edge casesMEDIUMNo handling for empty arrays, null, boundary valuesRace conditionsHIGHShared mutable state without synchronizationNon-idempotent operationsMEDIUMRetrying could cause duplicatesMissing validationHIGHUser input accepted without schema validationBrittle testsLOWTests depending on execution order or timingMissing loggingMEDIUMError paths with no observabilityConfiguration driftMEDIUMHardcoded env-specific valuesMissing migrationsHIGHSchema changes without migration files ### Per-Finding Severity CRITICAL → -3 points from dimension score HIGH → -2 points MEDIUM → -1 point LOW → -0.5 points INFO → 0 (suggestion only) ### Overall SPEAR Score Calculation Raw Score = (S×3 + P×2 + E×2 + A×1.5 + R×1.5) / 10 Final Score = Raw Score × 10 (scale 0-100) ### Verdict Thresholds ScoreVerdictAction90-100✅ EXCELLENTShip it75-89🟢 GOODMinor suggestions, approve60-74🟡 NEEDS WORKAddress findings before merge40-59🟠 SIGNIFICANT ISSUESMajor rework needed0-39🔴 BLOCKCritical issues, do not merge ### Review Output Template Use this structure for every review: # Code Review: [PR title or file name] ## Summary [1-2 sentence overview of what this code does and overall quality] ## SPEAR Score: [X]/100 — [VERDICT] | Dimension | Score | Key Finding | |-----------|-------|-------------| | 🔴 Security | X/10 | [worst finding or "Clean"] | | 🟡 Performance | X/10 | [worst finding or "Clean"] | | 🟠 Error Handling | X/10 | [worst finding or "Clean"] | | 🔵 Architecture | X/10 | [worst finding or "Clean"] | | 📊 Reliability | X/10 | [worst finding or "Clean"] | ## Findings ### [CRITICAL/HIGH] 🔴 [Title] **File:** \`path/to/file.ts:42\` **Category:** Security **Issue:** [What's wrong] **Impact:** [What could happen] **Fix:** \`\`\`[lang] // suggested fix ### [MEDIUM] 🟡 [Title] ... ### What's Done Well [Genuinely good patterns worth calling out] ### Recommendations [Prioritized action items] --- ## Language-Specific Patterns ### TypeScript / JavaScript - \`any\` type usage → Architecture finding - \`as\` type assertions → potential runtime error - \`console.log\` in production code → Style - \`==\` instead of \`===\` → Reliability - Missing \`async/await\` error handling - \`useEffect\` missing cleanup return - Index signatures without validation ### Python - Bare \`except:\` or \`except Exception:\` → Error Handling - \`eval()\` / \`exec()\` → Security CRITICAL - Mutable default arguments → Reliability - \`import *\` → Architecture - Missing \`__init__.py\` type hints - f-strings with user input → potential injection ### Go - \`_ :=\` discarding errors → Error Handling HIGH - \`panic()\` in library code → Reliability HIGH - Missing \`defer\` for resource cleanup - Exported functions without doc comments - \`interface{}\` / \`any\` overuse ### Java - Catching \`Exception\` or \`Throwable\` → Error Handling - Missing \`@Override\` annotations - Mutable static fields → thread safety - \`System.out.println\` in production - Missing null checks (pre-Optional code) ### SQL - String concatenation in queries → Security CRITICAL - \`SELECT *\` → Performance - Missing WHERE on UPDATE/DELETE → Security CRITICAL - No LIMIT on user-facing queries → Performance - Missing indexes for JOIN columns --- ## Advanced Techniques ### Reviewing for Business Logic Beyond code quality, check: - Does the code match the PR description / ticket requirements? - Are there edge cases the spec didn't mention? - Could this break existing functionality? - Is there a simpler way to achieve the same result? ### Reviewing for Operability - Can this be debugged in production? (logging, error messages) - Can this be rolled back safely? - Are feature flags needed? - What monitoring should accompany this change? ### Reviewing Database Changes - Is the migration reversible? - Will it lock tables during migration? - Are there indexes for new query patterns? - Is there a data backfill needed? ### Security Review Depth Levels | Level | When | What | |-------|------|------| | Quick | Internal tool, trusted input | OWASP Top 10 patterns only | | Standard | User-facing feature | + auth, input validation, output encoding | | Deep | Payment, auth, PII handling | + crypto review, session management, audit logging | | Threat Model | New service/API surface | + attack surface mapping, trust boundaries | --- ## Integration Patterns ### GitHub PR Review \`\`\`bash # Get PR diff gh pr diff 42 --repo owner/repo # Get PR details gh pr view 42 --repo owner/repo --json title,body,files,commits # Post review comment gh pr review 42 --repo owner/repo --comment --body "review content" ### Local Git Review # Review staged changes git diff --cached # Review branch vs main git diff main..HEAD # Review last N commits git log -5 --oneline && git diff HEAD~5..HEAD ### Heartbeat / Cron Integration Check for open PRs in [repo] that I haven't reviewed yet. For each, run a SPEAR review and post the results as a PR comment. ### Edge Cases & Gotchas Large PRs (>500 lines): Break into logical chunks. Review file-by-file. Flag the PR size itself as a finding (Architecture: "PR too large — consider splitting"). Generated code: Skip generated files (proto, swagger, migrations from ORMs). Note that you skipped them. Dependency updates: Focus on breaking changes in changelogs, not the lockfile diff. Merge conflicts markers: Flag immediately as CRITICAL — <<<<<<< in code means broken merge. Binary files: Note presence, can't review content. Config changes: Extra scrutiny — wrong env var = production outage. Refactors: Verify behavior preservation. Check if tests still pass conceptually. ### Review Checklist (Quick Mode) For fast reviews when full SPEAR isn't needed: No hardcoded secrets or credentials No SQL injection / XSS / path traversal All errors handled (no empty catch, no discarded errors) No N+1 queries or unbounded operations Tests exist for new/changed logic No console.log / print / fmt.Print left in Functions under 50 lines, files under 300 lines Types are specific (no any / interface{}) PR description matches the actual changes No TODOs without linked issues ## Trust - Source: tencent - Verification: Indexed source record - Publisher: 1kalin - Version: 1.0.0 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-05-01T22:36:58.117Z - Expires at: 2026-05-08T22:36:58.117Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/afrexai-code-reviewer) - [Send to Agent page](https://openagent3.xyz/skills/afrexai-code-reviewer/agent) - [JSON manifest](https://openagent3.xyz/skills/afrexai-code-reviewer/agent.json) - [Markdown brief](https://openagent3.xyz/skills/afrexai-code-reviewer/agent.md) - [Download page](https://openagent3.xyz/downloads/afrexai-code-reviewer)