技能 code-review-ai-ai-review
📝
code-review-ai-ai-review
安全
使用AI自动化代码审查
将手动代码审查转变为AI辅助的自动化质量保证。该技能将静态分析工具与Claude和GPT模型相结合,在早期发现安全漏洞、性能问题和架构问题。
支持: Claude Codex Code(CC)
1
下载技能 ZIP
2
在 Claude 中上传
前往 设置 → 功能 → 技能 → 上传技能
3
开启并开始使用
测试它
正在使用“code-review-ai-ai-review”。 Review this security-sensitive authentication module
预期结果:
- ## Security Review Findings **CRITICAL - SQL Injection** - File: `src/auth/login.ts:42` - String concatenation with user input enables SQL injection - Fix: Use parameterized queries **HIGH - Weak Password Storage** - File: `src/auth/user.ts:15` - Using MD5 for password hashing - Fix: Use bcrypt or Argon2
正在使用“code-review-ai-ai-review”。 Analyze this database query for performance issues
预期结果:
- ## Performance Analysis **HIGH - N+1 Query Detected** - File: `src/api/users.js:28` - Loop contains 5 database calls - Impact: 100 users = 500 queries - Fix: Use JOIN or batch loading
正在使用“code-review-ai-ai-review”。 Review microservice architecture changes
预期结果:
- ## Architecture Review **WARNING - Shared Database** - Service boundaries violated - Fix: Implement database-per-service pattern **INFO - Missing Circuit Breaker** - External API calls lack resilience - Recommendation: Add circuit breaker pattern
安全审计
安全v1 • 2/25/2026
All 53 static findings are false positives. The skill is a legitimate code review assistant that integrates security scanning tools (SonarQube, CodeQL, Semgrep, TruffleHog) with AI models. External commands, environment access, and network calls are all required for its core function of automated code analysis and GitHub integration.
1
已扫描文件
453
分析行数
6
发现项
1
审计总数
低风险问题 (6)
External Command Execution
The skill contains examples of running static analysis tools (sonar-scanner, semgrep, codeql) via subprocess. These are hardcoded tool invocations required for code review functionality - not user input injection vectors.
Environment Variable Access
Accesses GITHUB_TOKEN and ANTHROPIC_API_KEY environment variables. These are required for authenticating with GitHub API to post review comments and Claude API for AI analysis.
Network Request to External URL
Contains a reference URL to cwe.mitre.org for vulnerability documentation. This is a documentation link, not a data exfiltration endpoint.
File System Operations
Reads review-comments.json file to post comments via GitHub API. Standard file I/O for workflow automation.
Secret Detection Tools
Shows integration with TruffleHog for secret scanning. This is a defensive security tool to DETECT leaked secrets, not to exfiltrate them.
Weak Cryptographic Algorithm References
Mentions MD5 and SHA-1 in OWASP Top 10 context as vulnerabilities to DETECT (e.g., weak password hashing), not as algorithms the skill uses.
检测到的模式
Code Execution + Network + Credentials Pattern
审计者: claude
质量评分
38
架构
100
可维护性
87
内容
50
社区
93
安全
91
规范符合性
你能构建什么
自动化拉取请求审查
与CI/CD管道集成以自动审查每个拉取请求,发布包含安全、性能和架构反馈的结构化评论。
安全重点审计
使用CodeQL和Semgrep运行全面安全分析,识别SQL注入、XSS、身份验证绕过和其他关键漏洞。
性能优化
在生产环境之前检测常见的性能反模式,如N+1查询、缺失数据库索引和无界集合。
试试这些提示
基础代码审查
Review this pull request for security vulnerabilities and code quality issues:
PR Description: {pr_description}
Code Diff:
{diff}
Focus on: Security bugs, performance issues, and maintainability concerns.全面安全扫描
Perform a deep security analysis of this code change. Check for:
1. SQL injection and command injection vulnerabilities
2. Authentication and authorization flaws
3. Insecure cryptographic practices
4. Data exposure risks
Code:
{code_snippet}
Static analysis results:
{static_results}架构审查
Analyze this code change for architectural concerns:
- Does it follow SOLID principles?
- Are dependencies properly managed?
- Is there proper separation of concerns?
- Any potential scalability issues?
Code:
{code}
System context: {architecture_summary}集成CI的全面代码审查
Conduct a comprehensive code review combining static analysis results with AI analysis:
Diff:
{diff}
SonarQube issues: {sonarqube}
CodeQL alerts: {codeql}
Semgrep findings: {semgrep}
Provide prioritized findings with actionable fix examples.最佳实践
- 在AI分析之前运行静态分析工具(CodeQL、Semgrep)以提供上下文数据
- 使用temperature=0.1-0.2进行一致且确定的安全审查
- 设置质量门禁,阻止包含CRITICAL严重级别问题的PR
避免
- 仅依赖AI而没有静态分析上下文-AI可能遗漏已知漏洞模式
- 设置temperature过高(>0.5)导致不一致或编造的发现
- 忽略误报率-始终手动验证关键发现
常见问题
此技能使用哪些静态分析工具?
该技能集成SonarQube、CodeQL、Semgrep、TruffleHog和GitGuardian进行全面的安全扫描。
哪些AI模型最适合代码审查?
推荐使用Claude 4.5 Sonnet和GPT-4o进行详细分析。对于200行以内的快速审查,Haiku或mini模型就足够了。
使用此技能是否需要API密钥?
是的,您需要GITHUB_TOKEN用于发布评论,以及ANTHROPIC_API_KEY或OPENAI_API_KEY用于AI分析。
此技能能否检测代码中的密钥?
是的,它包含TruffleHog集成,用于检测泄露的API密钥、密码和其他敏感凭证。
CI/CD集成如何工作?
该技能提供GitHub Actions工作流程示例,运行静态分析、调用AI API并发布结构化审查评论。
支持哪些语言?
该技能通过CodeQL和Semgrep特定语言规则支持30多种语言。