스킬 code-review-ai-ai-review
📝

code-review-ai-ai-review

안전

使用AI自动化代码审查

将手动代码审查转变为AI辅助的自动化质量保证。该技能将静态分析工具与Claude和GPT模型相结合,在早期发现安全漏洞、性能问题和架构问题。

지원: Claude Codex Code(CC)
📊 70 적절함
1

스킬 ZIP 다운로드

2

Claude에서 업로드

설정 → 기능 → 스킬 → 스킬 업로드로 이동

3

토글을 켜고 사용 시작

테스트해 보기

"code-review-ai-ai-review" 사용 중입니다. Review this security-sensitive authentication module

예상 결과:

  • ## Security Review Findings **CRITICAL - SQL Injection** - File: `src/auth/login.ts:42` - String concatenation with user input enables SQL injection - Fix: Use parameterized queries **HIGH - Weak Password Storage** - File: `src/auth/user.ts:15` - Using MD5 for password hashing - Fix: Use bcrypt or Argon2

"code-review-ai-ai-review" 사용 중입니다. Analyze this database query for performance issues

예상 결과:

  • ## Performance Analysis **HIGH - N+1 Query Detected** - File: `src/api/users.js:28` - Loop contains 5 database calls - Impact: 100 users = 500 queries - Fix: Use JOIN or batch loading

"code-review-ai-ai-review" 사용 중입니다. Review microservice architecture changes

예상 결과:

  • ## Architecture Review **WARNING - Shared Database** - Service boundaries violated - Fix: Implement database-per-service pattern **INFO - Missing Circuit Breaker** - External API calls lack resilience - Recommendation: Add circuit breaker pattern

보안 감사

안전
v1 • 2/25/2026

All 53 static findings are false positives. The skill is a legitimate code review assistant that integrates security scanning tools (SonarQube, CodeQL, Semgrep, TruffleHog) with AI models. External commands, environment access, and network calls are all required for its core function of automated code analysis and GitHub integration.

1
스캔된 파일
453
분석된 줄 수
6
발견 사항
1
총 감사 수
낮은 위험 문제 (6)
SKILL.md:369SKILL.md:372
External Command Execution
The skill contains examples of running static analysis tools (sonar-scanner, semgrep, codeql) via subprocess. These are hardcoded tool invocations required for code review functionality - not user input injection vectors.
SKILL.md:361SKILL.md:362
Environment Variable Access
Accesses GITHUB_TOKEN and ANTHROPIC_API_KEY environment variables. These are required for authenticating with GitHub API to post review comments and Claude API for AI analysis.
SKILL.md:285
Network Request to External URL
Contains a reference URL to cwe.mitre.org for vulnerability documentation. This is a documentation link, not a data exfiltration endpoint.
SKILL.md:324
File System Operations
Reads review-comments.json file to post comments via GitHub API. Standard file I/O for workflow automation.
SKILL.md:190-197
Secret Detection Tools
Shows integration with TruffleHog for secret scanning. This is a defensive security tool to DETECT leaked secrets, not to exfiltrate them.
SKILL.md:3SKILL.md:61
Weak Cryptographic Algorithm References
Mentions MD5 and SHA-1 in OWASP Top 10 context as vulnerabilities to DETECT (e.g., weak password hashing), not as algorithms the skill uses.

감지된 패턴

Code Execution + Network + Credentials Pattern
감사자: claude

품질 점수

38
아키텍처
100
유지보수성
87
콘텐츠
33
커뮤니티
93
보안
91
사양 준수

만들 수 있는 것

自动化拉取请求审查

与CI/CD管道集成以自动审查每个拉取请求,发布包含安全、性能和架构反馈的结构化评论。

安全重点审计

使用CodeQL和Semgrep运行全面安全分析,识别SQL注入、XSS、身份验证绕过和其他关键漏洞。

性能优化

在生产环境之前检测常见的性能反模式,如N+1查询、缺失数据库索引和无界集合。

이 프롬프트를 사용해 보세요

基础代码审查 
Review this pull request for security vulnerabilities and code quality issues:

PR Description: {pr_description}

Code Diff:
{diff}

Focus on: Security bugs, performance issues, and maintainability concerns.
全面安全扫描 
Perform a deep security analysis of this code change. Check for:
1. SQL injection and command injection vulnerabilities
2. Authentication and authorization flaws
3. Insecure cryptographic practices
4. Data exposure risks

Code:
{code_snippet}

Static analysis results:
{static_results}
架构审查 
Analyze this code change for architectural concerns:
- Does it follow SOLID principles?
- Are dependencies properly managed?
- Is there proper separation of concerns?
- Any potential scalability issues?

Code:
{code}

System context: {architecture_summary}
集成CI的全面代码审查 
Conduct a comprehensive code review combining static analysis results with AI analysis:

Diff:
{diff}

SonarQube issues: {sonarqube}
CodeQL alerts: {codeql}
Semgrep findings: {semgrep}

Provide prioritized findings with actionable fix examples.

모범 사례

  • 在AI分析之前运行静态分析工具(CodeQL、Semgrep)以提供上下文数据
  • 使用temperature=0.1-0.2进行一致且确定的安全审查
  • 设置质量门禁,阻止包含CRITICAL严重级别问题的PR

피하기

  • 仅依赖AI而没有静态分析上下文-AI可能遗漏已知漏洞模式
  • 设置temperature过高(>0.5)导致不一致或编造的发现
  • 忽略误报率-始终手动验证关键发现

자주 묻는 질문

此技能使用哪些静态分析工具?
该技能集成SonarQube、CodeQL、Semgrep、TruffleHog和GitGuardian进行全面的安全扫描。
哪些AI模型最适合代码审查?
推荐使用Claude 4.5 Sonnet和GPT-4o进行详细分析。对于200行以内的快速审查,Haiku或mini模型就足够了。
使用此技能是否需要API密钥?
是的,您需要GITHUB_TOKEN用于发布评论,以及ANTHROPIC_API_KEY或OPENAI_API_KEY用于AI分析。
此技能能否检测代码中的密钥?
是的,它包含TruffleHog集成,用于检测泄露的API密钥、密码和其他敏感凭证。
CI/CD集成如何工作?
该技能提供GitHub Actions工作流程示例,运行静态分析、调用AI API并发布结构化审查评论。
支持哪些语言?
该技能通过CodeQL和Semgrep特定语言规则支持30多种语言。

개발자 세부 정보

작성자

sickn33

라이선스

MIT

리포지토리

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/code-review-ai-ai-review

참조

main

파일 구조

📄 SKILL.md