$ ~/registry/skill/openclaw-agents-skills-autoreview

SKILL

autoreview

Auto Review closeout. Codex review is the default when no engine is set and is the recommended reviewer.

来源

GitHub

更新于

2026-06-06

// 安全评估低风险

仅提示词，不执行代码
开源可审计

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "autoreview" 技能：
1. 下载 https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/autoreview/SKILL.md
2. 保存为 ~/.claude/skills/autoreview/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 文档

Auto Review

Run the bundled structured review helper as a closeout check. This is code review, not Guardian auto_review approval routing.

Codex review is the default when no engine is set. It usually delivers the best review results and should remain the normal final closeout engine.

Use when:

user asks for Codex review / Claude review / autoreview / second-model review
after non-trivial code edits, before final/commit/ship
reviewing a local branch or PR branch after fixes

Contract

Treat review output as advisory. Never blindly apply it.
Verify every finding by reading the real code path and adjacent files.
Read dependency docs/source/types when the finding depends on external behavior.
Reject unrealistic edge cases, speculative risks, broad rewrites, and fixes that over-complicate the codebase.
Prefer small fixes at the right ownership boundary; no refactor unless it clearly improves the bug class.
When an accepted finding shows a bug class or repeated pattern, inspect the current PR scope for sibling instances before fixing.
Fix the scoped bug class at once when practical; stop at touched surfaces, owner boundaries, and clear follow-up territory.
Keep going until structured review returns no accepted/actionable findings.
If a review-triggered fix changes code, rerun focused tests and rerun the structured review helper.
For security-audit suppression changes, verify accepted findings remain auditable: suppressed findings stay in structured output, active output keeps an unsuppressible suppression notice, and aggregate findings cannot hide unrelated active risk.
Never switch or override the requested review engine/model. If the review hits model capacity, retry the same command a few times with the same engine/model.
Be patient with large bundles. Structured review can take up to 30 minutes while the model call is active, especially with Codex tools or web search.
Treat heartbeat lines like review still running: ... elapsed=... pid=... as healthy progress, not a hang. Let the helper continue while heartbeats are advancing. Pass --stream-engine-output when live engine text is useful; Codex and Claude filter tool/file chatter, other engines pass raw output through.
Do not kill a review just because it has been quiet for 2-5 minutes, or because it is still running under the 30-minute window. Inspect the process only after missing multiple expected heartbeats, after 30 minutes, or after an obviously failed subprocess; prefer letting the same helper command finish.
Tools are useful in review mode. The helper allows read-only inspection tools and web search by default so reviewers can check dependency contracts, upstream docs, and current behavior.
Security perspective is always included, but it should not cripple legitimate functionality. Report security findings only when the change creates a concrete, actionable risk or removes an important safety check.
For regression provenance, if no blamed PR is traceable, use the blamed commit as the provenance: commit SHA, date, and author username. Do not guess a merger or frame missing PR metadata as a separate finding.
Do not invoke built-in codex review, nested reviewers, or reviewer panels from inside the review. The helper builds one bundle, calls one selected engine, validates one structured result, and stops.
Stop as soon as the helper exits 0 with no accepted/actionable findings. Do not run an extra review just to get a nicer "clean" line, a second opinion, or clearer closeout wording.
Treat the helper's successful exit plus absence of actionable findings as the clean review result, even if the underlying Codex CLI output is terse.
Multi-reviewer panels are opt-in only. Use them when explicitly requested or when risk justifies the extra spend; the main agent still verifies every accepted finding before fixing.

…

查看完整文档 ↗

// 同源资产

技能

model-usage

Summarize CodexBar local cost logs by model for Codex or Claude, including current or full breakdowns.

openclaw装→

技能

nano-pdf

Edit PDFs with natural-language instructions using the nano-pdf CLI.

openclaw装→

技能

node-connect

Diagnose OpenClaw Android, iOS, or macOS node pairing, QR/setup code, route, auth, and connection failures.

openclaw装→

技能

node-inspect-debugger

Debug Node.js with node inspect, --inspect, breakpoints, CDP, heap, and CPU profiles.

openclaw装→

技能

notion

Notion CLI/API for pages, Markdown content, data sources, files, comments, search, Workers, and raw API calls.

openclaw装→

技能

meme-maker

Search meme templates, suggest formats, and generate local or hosted image memes.

openclaw装→

$ loading_

请帮我安装 askskill 上的 "autoreview" 技能： 1. 下载 https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/autoreview/SKILL.md 2. 保存为 ~/.claude/skills/autoreview/SKILL.md 3. 装好后重载技能，告诉我可以用了

// 文档

Auto Review

Run the bundled structured review helper as a closeout check. This is code review, not Guardian auto_review approval routing.

Codex review is the default when no engine is set. It usually delivers the best review results and should remain the normal final closeout engine.

Use when:

user asks for Codex review / Claude review / autoreview / second-model review
after non-trivial code edits, before final/commit/ship
reviewing a local branch or PR branch after fixes

Contract

Treat review output as advisory. Never blindly apply it.
Verify every finding by reading the real code path and adjacent files.
Read dependency docs/source/types when the finding depends on external behavior.
Reject unrealistic edge cases, speculative risks, broad rewrites, and fixes that over-complicate the codebase.
Prefer small fixes at the right ownership boundary; no refactor unless it clearly improves the bug class.
When an accepted finding shows a bug class or repeated pattern, inspect the current PR scope for sibling instances before fixing.
Fix the scoped bug class at once when practical; stop at touched surfaces, owner boundaries, and clear follow-up territory.
Keep going until structured review returns no accepted/actionable findings.
If a review-triggered fix changes code, rerun focused tests and rerun the structured review helper.
For security-audit suppression changes, verify accepted findings remain auditable: suppressed findings stay in structured output, active output keeps an unsuppressible suppression notice, and aggregate findings cannot hide unrelated active risk.
Never switch or override the requested review engine/model. If the review hits model capacity, retry the same command a few times with the same engine/model.
Be patient with large bundles. Structured review can take up to 30 minutes while the model call is active, especially with Codex tools or web search.
Treat heartbeat lines like review still running: ... elapsed=... pid=... as healthy progress, not a hang. Let the helper continue while heartbeats are advancing. Pass --stream-engine-output when live engine text is useful; Codex and Claude filter tool/file chatter, other engines pass raw output through.
Do not kill a review just because it has been quiet for 2-5 minutes, or because it is still running under the 30-minute window. Inspect the process only after missing multiple expected heartbeats, after 30 minutes, or after an obviously failed subprocess; prefer letting the same helper command finish.
Tools are useful in review mode. The helper allows read-only inspection tools and web search by default so reviewers can check dependency contracts, upstream docs, and current behavior.
Security perspective is always included, but it should not cripple legitimate functionality. Report security findings only when the change creates a concrete, actionable risk or removes an important safety check.
For regression provenance, if no blamed PR is traceable, use the blamed commit as the provenance: commit SHA, date, and author username. Do not guess a merger or frame missing PR metadata as a separate finding.
Do not invoke built-in codex review, nested reviewers, or reviewer panels from inside the review. The helper builds one bundle, calls one selected engine, validates one structured result, and stops.
Stop as soon as the helper exits 0 with no accepted/actionable findings. Do not run an extra review just to get a nicer "clean" line, a second opinion, or clearer closeout wording.
Treat the helper's successful exit plus absence of actionable findings as the clean review result, even if the underlying Codex CLI output is terse.
Multi-reviewer panels are opt-in only. Use them when explicitly requested or when risk justifies the extra spend; the main agent still verifies every accepted finding before fixing.

…

查看完整文档 ↗