I. Core Positioning
It replaces manual reviewers to conduct the first round of pre-code review, fundamentally different from ESLint and other static scanning tools:
- Static analysis tools only check syntax and formatting rules;
- autoreview leverages large language models to comprehend business logic, code context and developer intent, capable of spotting logical flaws, security loopholes and architectural risks;
- It integrates with GitHub/Gitee/GitLab Webhooks to trigger full automatic scans upon PR creation or updates, requiring zero manual invocation.
II. Full List of Review Capabilities
1. Code Validity & Logical Bug Detection
- Null pointer exceptions, missing null checks, array out-of-bounds errors, invalid boundary value handling;
- Missing exception handling for async functions, absent try/catch blocks;
- Missing branch logic, unhandled return values, erroneous conditional judgments;
- Type mismatches, implicit any types, incomplete type definitions.
2. Security Risk Scanning (Core Priority)
- Hardcoded secret keys, plaintext passwords and exposed tokens;
- SQL injection vulnerabilities, unvalidated user input, unsafe deserialization;
- Privilege escalation risks, sensitive data leakage in logs, path traversal attacks;
- Invocation of dangerous functions, API endpoints without identity authentication.
3. Performance Optimization & Code Standards
- Nested loops, repeated database queries, memory leaks;
- Inconsistent project coding styles, non-standard naming, missing explanatory comments;
- Redundant code, duplicated logic, overly complex implementable logic;
- Hardcoded fixed values and magic numbers.
4. Engineering Completeness Check
- New or modified functions without matching unit test cases;
- Undocumented public interfaces and newly added modules;
- Breaking changes lacking backward compatibility for existing callers;
- Unsynchronized updates to configuration files and environment variables.
5. Scope Governor (Exclusive Built-in Control Mechanism)
Prevent developers from sneaking irrelevant refactoring or architectural adjustments into small PRs:
- Automatically block PRs with sudden surges in file changes or doubled line count without valid descriptions;
- Force PR splitting if defects remain unresolved after multiple revision rounds;
- Distinguish minor iterative updates from large architectural refactors to avoid bloated, unmanageable PRs.
III. Output Formats (Directly Submittable to Code Platforms)
- Line-level precise comments: pinpoint exact files and line numbers to flag defects;
- Structured summary report: categorize issues by severity (Critical / Normal / Optimization), with ready-to-copy fix code snippets attached;
- Automatic PR tags & status markers: auto-label tags including
security-risk,missing-test,breaking-change; - Export structured JSON reports for seamless integration with CI pipelines and alert systems.
IV. Multi-Model Support
Built-in switchable multiple review engines, allowing users to assign specific LLMs for in-depth analysis:
- Compatible with GPT series, Claude, Copilot, Cursor, OpenCode, Gemini and more;
- Configurable dual-model cross-review mode (e.g. Codex + Claude) to boost review accuracy.
V. Differences from GitHub Skill
- GitHub Skill: Pure Git operation utility, solely responsible for pulling PR diffs, submitting comments and warehouse manipulation;
- autoreview: The core AI review logic engine, tasked with code parsing, semantic AI analysis and generating professional review feedback;
- Standard collaborative workflow: Webhook trigger → GitHub Skill pulls code changes → autoreview executes full review → GitHub Skill pushes review comments to the PR page.
VI. Typical Application Scenarios
- Team CI pipeline automation: Auto pre-review new PRs to block low-level flaws before manual review;
- Security audit after large-scale architectural refactoring;
- Reduce repetitive review workload for open-source project maintainers;
- Unattended overnight continuous risk scanning for existing legacy codebases;
- Standardize team coding rules to eliminate inconsistent judgment standards across different human reviewers.
VII. Limitations (Unsupported Capabilities)
- Cannot deeply evaluate product business decisions or high-level architectural design quality;
- Unable to identify performance bottlenecks that only surface under load testing;
- Does not judge highly subjective stylistic preferences with unified objective standards;
- Fails to spot business-specific logical defects without sufficient business context input.
One-Sentence Summary
autoreview is an AI automatic code review agent native to OpenClaw. It automatically fetches PR code diffs, conducts multi-dimensional deep semantic audits covering logic, security, performance, unit testing and coding standards, and submits line-specific repair suggestions to code repositories, drastically cutting repetitive manual review workload.