AI代码审查工具 - 自动化安全漏洞检测与代码质量分析 | 支持多领域检查清单

code-review by llama-farm/llamafarm

1,200 周安装量

824 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/llama-farm/llamafarm --skill code-review

AI/机器学习开发安全

🇨🇳中文介绍

代码审查技能

你正在对一份差异文件进行全面的代码审查。你的任务是分析变更代码中的安全漏洞、反模式和质量问题。

输入模型

此技能期望在调用前，上下文中已提供一份差异文件。调用方负责生成差异文件。

调用示例：

用户粘贴 PR 差异文件，然后运行 /code-review
代理运行 git diff HEAD~1，然后调用此技能
CI 工具提供差异内容以供审查

如果上下文中没有差异文件，请要求用户提供或主动生成一个（例如，git diff、git diff main..HEAD）。

领域检测

根据差异文件中的目录路径自动检测应应用哪些检查清单：

目录	领域	检查清单
`designer/`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 1：解析差异文件

从差异文件中提取：

变更文件列表
变更行（新增和修改）
基于文件路径检测到的领域

步骤 2：初始化审查文档

使用临时文件模式创建审查文档：

SANITIZED_PATH=$(echo "$PWD" | tr '/' '-')
REPORT_DIR="/tmp/claude/${SANITIZED_PATH}/reviews"
mkdir -p "$REPORT_DIR"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
FILEPATH="${REPORT_DIR}/code-review-${TIMESTAMP}.md"

使用以下模式初始化：

# 代码审查报告

**日期**: {当前日期}
**审查者**: 代码审查代理
**来源**: {例如，"PR 差异文件"、"未暂存的更改"、"main..HEAD"}
**变更文件**: {数量}
**检测到的领域**: {列表}
**状态**: 进行中

## 摘要

| 类别 | 检查项 | 通过 | 失败 | 发现 |
| :--- | :--- | :--- | :--- | :--- |
| 安全 | 0 | 0 | 0 | 0 |
| 代码质量 | 0 | 0 | 0 | 0 |
| LLM 代码异味 | 0 | 0 | 0 | 0 |
| 影响分析 | 0 | 0 | 0 | 0 |
| 简化 | 0 | 0 | 0 | 0 |
{基于检测到的领域添加的领域特定类别}

## 详细发现

{随着审查进展，将发现的问题添加至此}

步骤 3：审查变更代码

针对每个检查清单项：

将反馈范围限定在差异行内 - 仅标记变更代码中的问题
使用文件上下文 - 读取完整文件内容以理解周边代码
应用相关检查 - 使用领域适用的检查清单项
记录发现 - 记录在变更代码中发现的每个违规项

关键原则：审查的对象是差异文件。文件的其余部分提供上下文以使审查更准确。

步骤 4：影响分析

检查差异文件是否可能影响代码库的其他部分：

变更的导出项/接口 - 搜索其他地方可能被破坏的使用情况
修改的 API 签名 - 检查需要更新的调用方
更改的共享工具 - 查找可能受影响的消费者
配置/模式变更 - 查找依赖于旧结构的代码

将任何未考虑的影响作为发现项报告，严重性基于风险。

步骤 5：记录每个发现

对于发现的每个问题，添加一个条目：

### [{类别}] {项目名称}

**状态**: 失败
**严重性**: 严重 | 高 | 中 | 低
**范围**: 变更代码 | 影响分析

#### 违规

- **文件**: `path/to/file.ext`
- **行号**: 42-48 (来自差异文件)
- **代码**:

// 来自差异文件的问题代码片段

- **问题**: {解释错误所在}
- **建议**: {如何修复}

步骤 6：完成报告

完成所有检查后：

使用最终计数更新摘要表
添加执行摘要：
- 发现的问题总数
- 需要立即关注的关键问题
- 影响分析结果
- 修复建议的优先级顺序
将状态更新为"完成"
通知用户报告位置

这些检查适用于所有变更代码，无论其所属领域。

类别：安全基础

检查差异文件中的：

变更代码中的 API 密钥、密码、密钥
模式：带有字面值的 api_key、apiKey、password、secret、token、credential

通过标准：差异文件中没有硬编码密钥（应使用环境变量） 严重性：严重

Eval 和动态代码执行

检查差异文件中的：

JavaScript/TypeScript: eval(、new Function(、setTimeout("、setInterval("
Python: eval(、exec(、compile(

通过标准：变更行中没有动态代码执行 严重性：严重

检查差异文件中的：

Python: 带有 shell=True 的 subprocess、os.system(
Go: 带有未净化输入的 exec.Command(

通过标准：shell 命令中没有未验证的用户输入 严重性：严重

类别：代码质量

Console/Print 语句

检查差异文件中的：

JavaScript/TypeScript: console.log、console.debug、console.info
Python: print( 语句

通过标准：生产代码变更中没有调试语句 严重性：低

检查差异文件中的：

TODO:、FIXME:、HACK:、XXX: 注释

通过标准：新的 TODO 应在问题跟踪系统中记录 严重性：低

空的 Catch/Except 块

检查差异文件中的：

JavaScript/TypeScript: catch { } 或 catch(e) { }
Python: except: pass 或空的 except 块

通过标准：所有错误处理程序都应记录或重新抛出错误 严重性：高

类别：LLM 代码异味

检查差异文件中的：

TODO、PLACEHOLDER、IMPLEMENT、NotImplemented
仅 return None、return []、return {} 的函数

通过标准：生产代码中没有占位符实现 严重性：高

过于通用的抽象

检查差异文件中的：

名称如 GenericHandler、BaseManager、AbstractFactory 的新类/函数
没有明确复用理由的抽象

通过标准：抽象应基于实际的复用需求 严重性：低

类别：影响分析

检查差异文件是否修改了：

导出的函数/类 - 搜索其他地方的导入
API 端点 - 搜索调用方
共享类型/接口 - 搜索使用情况
配置模式 - 搜索消费者

通过标准：所有受影响的代码都已识别并考虑在内 严重性：高（如果发现未考虑的影响）

检查差异文件中的：

重复的代码模式（不仅仅是语法相似性）
带有微小变动的复制粘贴代码
相似的验证、转换或格式化逻辑

通过标准：变更代码中没有明显的重复 严重性：中建议：将共享逻辑提取到可重用函数中

不必要的复杂性

检查差异文件中的：

深度嵌套的条件语句（超过 3 层）
执行多个不相关任务的函数
过于复杂的控制流

通过标准：代码结构合理扁平且专注 严重性：中建议：使用提前返回、提取辅助函数

检查差异文件中的：

在语言中存在更简单替代方案的模式
冗余的空值检查或类型断言
不必要的中间变量

通过标准：代码使用惯用模式 严重性：低建议：使用语言内置功能进行简化

领域特定审查项

基于检测到的领域，读取并应用相应的检查清单：

检测到前端 (designer/): 读取 frontend.md 并将这些检查应用于变更代码
检测到后端 (server/、rag/、runtimes/): 读取 backend.md 并将这些检查应用于变更代码

## 执行摘要

**审查完成时间**: {时间戳}
**总发现数**: {数量}

### 关键问题（必须修复）
1. {问题 1}
2. {问题 2}

### 影响分析结果
- {任何破坏性变更或未考虑影响的摘要}

### 高优先级（应该修复）
1. {问题 1}
2. {问题 2}

### 建议
{基于所审查变更的总体建议}

给代理的注意事项

限定在差异范围内：仅标记变更行中的问题。不要审查未更改的代码。
使用上下文：读取完整文件以理解变更，但反馈仅针对差异部分。
检查影响：当变更涉及导出项、API 或共享代码时，搜索受影响的消费者。
具体明确：每个发现都应包含文件路径、行号（来自差异文件）和代码片段。
确定优先级：立即标记关键安全问题。
提供解决方案：每个发现都应包含如何修复的建议。
增量更新：在每个类别完成后更新审查文档，而不是在最后。

🇺🇸English

Code Review Skill

You are performing a comprehensive code review on a diff. Your task is to analyze the changed code for security vulnerabilities, anti-patterns, and quality issues.

Input Model

This skill expects a diff to be provided in context before invocation. The caller is responsible for generating the diff.

Example invocations:

User pastes PR diff, then runs /code-review
Agent runs git diff HEAD~1, then invokes this skill
CI tool provides diff content for review

If no diff is present in context, ask the user to provide one or offer to generate one (e.g., git diff, git diff main..HEAD).

Domain Detection

Auto-detect which checklists to apply based on directory paths in the diff:

Directory	Domain	Checklist
`designer/`	Frontend	Read `frontend.md`
`server/`	Backend	Read `backend.md`
`rag/`	Backend	Read `backend.md`
`runtimes/universal/`	Backend	Read `backend.md`

If the diff spans multiple domains, load all relevant checklists.

Review Process

Step 1: Parse the Diff

Extract from the diff:

List of changed files
Changed lines (additions and modifications)
Detected domains based on file paths

Step 2: Initialize the Review Document

Create a review document using the temp-files pattern :

SANITIZED_PATH=$(echo "$PWD" | tr '/' '-')
REPORT_DIR="/tmp/claude/${SANITIZED_PATH}/reviews"
mkdir -p "$REPORT_DIR"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
FILEPATH="${REPORT_DIR}/code-review-${TIMESTAMP}.md"

Initialize with this schema:

# Code Review Report

**Date**: {current date}
**Reviewer**: Code Review Agent
**Source**: {e.g., "PR diff", "unstaged changes", "main..HEAD"}
**Files Changed**: {count}
**Domains Detected**: {list}
**Status**: In Progress

## Summary

| Category | Items Checked | Passed | Failed | Findings |
|----------|---------------|--------|--------|----------|
| Security | 0 | 0 | 0 | 0 |
| Code Quality | 0 | 0 | 0 | 0 |
| LLM Code Smells | 0 | 0 | 0 | 0 |
| Impact Analysis | 0 | 0 | 0 | 0 |
| Simplification | 0 | 0 | 0 | 0 |
{domain-specific categories added based on detected domains}

## Detailed Findings

{findings added here as review progresses}

Step 3: Review Changed Code

For EACH checklist item:

Scope feedback to diff lines only - Only flag issues in the changed code
Use file context - Read full file content to understand surrounding code
Apply relevant checks - Use domain-appropriate checklist items
Document findings - Record each violation found in changed code

Key principle : The diff is what gets reviewed. The rest of the file provides context to make that review accurate.

Step 4: Impact Analysis

Check if the diff might affect other parts of the codebase:

Changed exports/interfaces - Search for usages elsewhere that may break
Modified API signatures - Check for callers that need updating
Altered shared utilities - Look for consumers that may be affected
Config/schema changes - Find code that depends on old structure

Report any unaccounted-for impacts as findings with severity based on risk.

Step 5: Document Each Finding

For each issue found, add an entry:

### [{CATEGORY}] {Item Name}

**Status**: FAIL
**Severity**: Critical | High | Medium | Low
**Scope**: Changed code | Impact analysis

#### Violation

- **File**: `path/to/file.ext`
- **Line(s)**: 42-48 (from diff)
- **Code**:

// problematic code snippet from diff

- **Issue**: {explanation of what's wrong}
- **Recommendation**: {how to fix it}

Step 6: Finalize the Report

After completing all checks:

Update the summary table with final counts
Add an executive summary:
- Total issues found
- Critical issues requiring immediate attention
- Impact analysis results
- Recommended priority order for fixes
Update status to "Complete"
Inform the user of the report location

Generic Review Categories

These checks apply to ALL changed code regardless of domain.

Category: Security Fundamentals

Hardcoded Secrets

Check diff for :

API keys, passwords, secrets in changed code
Patterns: api_key, apiKey, password, secret, token, credential with literal values

Pass criteria : No hardcoded secrets in diff (should use environment variables) Severity : Critical

Eval and Dynamic Code Execution

Check diff for :

JavaScript/TypeScript: eval(, new Function(, setTimeout(", setInterval("
Python: eval(, exec(, compile(

Pass criteria : No dynamic code execution in changed lines Severity : Critical

Command Injection

Check diff for :

Python: subprocess with shell=True, os.system(
Go: exec.Command( with unsanitized input

Pass criteria : No unvalidated user input in shell commands Severity : Critical

Category: Code Quality

Console/Print Statements

Check diff for :

JavaScript/TypeScript: console.log, console.debug, console.info
Python: print( statements

Pass criteria : No debug statements in production code changes Severity : Low

TODO/FIXME Comments

Check diff for :

TODO:, FIXME:, HACK:, XXX: comments

Pass criteria : New TODOs should be tracked in issues Severity : Low

Empty Catch/Except Blocks

Check diff for :

JavaScript/TypeScript: catch { } or catch(e) { }
Python: except: pass or empty except blocks

Pass criteria : All error handlers log or rethrow Severity : High

Category: LLM Code Smells

Placeholder Implementations

Check diff for :

TODO, PLACEHOLDER, IMPLEMENT, NotImplemented
Functions that just return None, return [], return {}

Pass criteria : No placeholder implementations in production code Severity : High

Overly Generic Abstractions

Check diff for :

New classes/functions with names like GenericHandler, BaseManager, AbstractFactory
Abstractions without clear reuse justification

Pass criteria : Abstractions are justified by actual reuse Severity : Low

Category: Impact Analysis

Breaking Changes

Check if diff modifies :

Exported functions/classes - search for imports elsewhere
API endpoints - search for callers
Shared types/interfaces - search for usages
Config schemas - search for consumers

Pass criteria : All impacted code identified and accounted for Severity : High (if unaccounted impacts found)

Category: Simplification

Duplicate Logic

Check diff for :

Repeated code patterns (not just syntactic similarity)
Copy-pasted code with minor variations
Similar validation, transformation, or formatting logic

Pass criteria : No obvious duplication in changed code Severity : Medium Suggestion : Extract shared logic into reusable functions

Unnecessary Complexity

Check diff for :

Deeply nested conditionals (more than 3 levels)
Functions doing multiple unrelated things
Overly complex control flow

Pass criteria : Code is reasonably flat and focused Severity : Medium Suggestion : Use early returns, extract helper functions

Verbose Patterns

Check diff for :

Patterns that have simpler alternatives in the language
Redundant null checks or type assertions
Unnecessary intermediate variables

Pass criteria : Code uses idiomatic patterns Severity : Low Suggestion : Simplify using language built-ins

Domain-Specific Review Items

Based on detected domains, read and apply the appropriate checklists:

Frontend detected (designer/): Read frontend.md and apply those checks to changed code
Backend detected (server/, rag/, runtimes/): Read backend.md and apply those checks to changed code

Final Summary Template

## Executive Summary

**Review completed**: {timestamp}
**Total findings**: {count}

### Critical Issues (Must Fix)
1. {issue 1}
2. {issue 2}

### Impact Analysis Results
- {summary of any breaking changes or unaccounted impacts}

### High Priority (Should Fix)
1. {issue 1}
2. {issue 2}

### Recommendations
{Overall recommendations based on the changes reviewed}

Notes for the Agent

Scope to diff : Only flag issues in the changed lines. Don't review unchanged code.
Use context : Read full files to understand the changes, but feedback targets the diff only.
Check impacts : When changes touch exports, APIs, or shared code, search for affected consumers.
Be specific : Include file paths, line numbers (from diff), and code snippets for every finding.
Prioritize : Flag critical security issues immediately.
Provide solutions : Each finding should include a recommendation for how to fix it.
Update incrementally : Update the review document after each category, not at the end.

Weekly Installs

1.2K

Repository

llama-farm/llamafarm

GitHub Stars

824

First Seen

Jan 22, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykFail

Installed on

opencode939

codex938

gemini-cli937

github-copilot935

amp933

kimi-cli932

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

102,200 周安装

AI代码审查工具 - 自动化安全漏洞检测与代码质量分析 | 支持多领域检查清单

🇨🇳中文介绍

代码审查技能

输入模型

领域检测

相关 Skills

审查流程

步骤 1：解析差异文件

步骤 2：初始化审查文档

步骤 3：审查变更代码

步骤 4：影响分析

步骤 5：记录每个发现

步骤 6：完成报告

通用审查类别

类别：安全基础

硬编码密钥

Eval 和动态代码执行

命令注入

类别：代码质量

Console/Print 语句

TODO/FIXME 注释

空的 Catch/Except 块

类别：LLM 代码异味

占位符实现

过于通用的抽象

类别：影响分析

破坏性变更

类别：简化

重复逻辑

不必要的复杂性

冗长模式

领域特定审查项

最终摘要模板

给代理的注意事项

🇺🇸English

Code Review Skill

Input Model

Domain Detection

Review Process

Step 1: Parse the Diff

Step 2: Initialize the Review Document

Step 3: Review Changed Code

Step 4: Impact Analysis

Step 5: Document Each Finding

Step 6: Finalize the Report

Generic Review Categories

Category: Security Fundamentals

Hardcoded Secrets

Eval and Dynamic Code Execution

Command Injection

Category: Code Quality

Console/Print Statements

TODO/FIXME Comments

Empty Catch/Except Blocks

Category: LLM Code Smells

Placeholder Implementations

Overly Generic Abstractions

Category: Impact Analysis

Breaking Changes

Category: Simplification

Duplicate Logic

Unnecessary Complexity

Verbose Patterns

Domain-Specific Review Items

Final Summary Template

Notes for the Agent

最新 Skills