Qf Code Review

What This Skill Does

The Qf Code Review skill is a sophisticated, systematic code analysis framework designed to act as an automated senior engineer. It evaluates source code for a wide array of potential issues, ranging from critical security vulnerabilities to performance bottlenecks and maintainability concerns. By implementing a structured, multi-phase review process—starting with a quick risk assessment and moving into deep-dive category analysis—this skill ensures that your codebase adheres to industry best practices. It supports major programming languages including Python, JavaScript/TypeScript, Go, Rust, and Java, providing actionable feedback prioritized by severity levels: Critical, Warning, and Suggestion.

Installation

To add this capability to your OpenClaw environment, execute the following command in your terminal:

clawhub install openclaw/skills/skills/371166758-qq/qf-code-review

Use Cases

• Pull Request Auditing: Streamline your team's code review process by performing an initial automated pass to catch obvious errors before human eyes see the code.
• Security Hardening: Identify common vulnerabilities like SQL injection, XSS, and hardcoded secrets early in the development lifecycle.
• Performance Optimization: Detect inefficient algorithms, N+1 database queries, and blocking I/O calls that could degrade production performance.
• Onboarding & Standards: Ensure consistent coding standards across large teams by flagging non-idiomatic or difficult-to-maintain code patterns.
• AI Code Validation: Verify that code generated by other LLMs meets production-grade safety and performance requirements.

Example Prompts

1. "Perform a security-focused code review on this pull request: [Paste code or link to PR]. Focus specifically on potential SQL injection and IDOR vulnerabilities."
2. "Review the provided function for performance bottlenecks. I am concerned about memory usage when handling large datasets. Let me know if there are O(n^2) operations or missing pagination."
3. "Run a comprehensive code quality assessment on this module. Categorize feedback by severity and provide specific refactoring suggestions for maintainability and best practices."

Tips & Limitations

• Context is Key: Always provide the context (e.g., commit message, intended behavior) to help the agent understand the developer's intent.
• Human Verification: While the agent is highly accurate, all critical fixes—especially those modifying security or core business logic—should be manually verified by a senior developer.
• Scope Management: For large repositories, break your review requests into smaller, logical chunks to avoid context window limitations and maintain high-quality, focused feedback.
• False Positives: Occasionally, an automated tool may flag code as a risk if the surrounding security context is not explicitly visible (e.g., a function call that appears vulnerable but is protected by a middleware). Exercise judgment when reviewing the findings.