Code Reviewer Agent

AI-powered code review assistant with linting, security scanning, and best practice enforcement

The Code Reviewer agent is an intelligent development assistant that analyzes code quality, identifies bugs, enforces best practices, and suggests improvements. Powered by Claude Opus for deep reasoning, it provides thorough reviews with actionable feedback.

What It Does

This agent performs comprehensive code analysis:

• Quality Analysis — Identifies code smells, anti-patterns, complexity issues
• Security Scanning — Detects vulnerabilities, unsafe patterns, credential leaks
• Best Practices — Enforces language-specific conventions and style guides
• Performance Review — Spots inefficient algorithms and optimization opportunities
• Documentation Check — Ensures code is well-documented and maintainable
• Test Coverage — Reviews test quality and suggests missing test cases

Key Features

✅ Multi-Language Support — JavaScript/TypeScript, Python, Go, Rust, Java, and more
✅ Automated Linting — ESLint, Pylint, golangci-lint, Clippy integration
✅ Security Analysis — Detects SQL injection, XSS, insecure crypto, hardcoded secrets
✅ Git Integration — Review PR diffs, commit ranges, or entire files
✅ Inline Comments — Provides line-specific feedback with fix suggestions
✅ Configurable Rules — Customize severity levels and rule sets
✅ Learning Mode — Builds team-specific best practices over time
✅ Claude Opus — Deep reasoning for complex architectural review

Quick Start

1. Install via OpenHatch

openhatch run @templates/code-reviewer

2. Configure Your Environment

Copy .env.example to .env and configure:

# Required: Anthropic API key
ANTHROPIC_API_KEY=your_key_here

# Optional: GitHub integration for PR reviews
GITHUB_TOKEN=your_github_pat

# Optional: Your coding style preferences
CODING_STYLE=airbnb  # or google, standard, pep8, etc.

3. Set Up Linters (Optional)

For enhanced analysis, install linters in your workspace:

# JavaScript/TypeScript
npm install -g eslint prettier

# Python
pip install pylint black flake8

# Go
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest

# Rust
rustup component add clippy

4. Connect Your Messaging Platform

Add your bot token:

# Telegram
TELEGRAM_BOT_TOKEN=your_bot_token

# OR Discord
DISCORD_BOT_TOKEN=your_bot_token

# OR Slack
SLACK_BOT_TOKEN=xoxb-your-token

5. Start the Agent

openhatch start code-reviewer

Usage Examples

Review a File

You: Review this code:

def get_user(id):
    query = "SELECT * FROM users WHERE id=" + id
    return db.execute(query)

Agent:

🔴 CRITICAL SECURITY ISSUE: SQL Injection Vulnerability

Line 2: String concatenation in SQL query allows injection attacks.

❌ Current code:
query = "SELECT * FROM users WHERE id=" + id

✅ Recommended fix:
query = "SELECT * FROM users WHERE id=%s"
return db.execute(query, (id,))

Or use an ORM:
return User.objects.get(id=id)

📚 Reference: OWASP SQL Injection Prevention

Review a Git Diff

You: Review the changes in feature/auth branch

Agent: Fetches diff, analyzes changes, provides feedback on new code

Check Entire Project

You: Run a full code review on the /src directory

Agent: Analyzes all files, generates comprehensive report

Custom Review Focus

You: Review for performance issues only

Agent: Focuses analysis on algorithmic complexity, memory usage, inefficiencies

Configuration

Customize Review Rules

Edit TOOLS.md to configure:

## Review Preferences
- **Severity threshold:** medium (ignore low-severity issues)
- **Max line length:** 100
- **Style guide:** Airbnb JavaScript / PEP 8 Python
- **Focus areas:** security, performance, maintainability

Language-Specific Settings

The agent automatically detects language and applies appropriate rules:

• JavaScript/TypeScript: ESLint + Prettier, React best practices
• Python: PEP 8, Pythonic patterns, type hints
• Go: gofmt, effective Go patterns
• Rust: Clippy lints, ownership best practices

Integration with CI/CD

You can trigger reviews programmatically:

# Review a PR
curl -X POST https://your-openclaw-instance/review \
  -d '{"repo": "owner/repo", "pr": 123}'

How It Works

Analysis Pipeline

1. Code Ingestion — Receives code via message, file upload, or Git URL
2. Language Detection — Identifies programming language and framework
3. Static Analysis — Runs appropriate linters (ESLint, Pylint, etc.)
4. AI Review — Claude Opus performs deep semantic analysis
5. Issue Prioritization — Ranks findings by severity and impact
6. Report Generation — Formats feedback with inline comments and fixes
7. Memory Update — Learns team preferences over time

Review Categories

🔴 Critical — Security vulnerabilities, data loss risks
🟡 High — Bugs, logic errors, significant anti-patterns
🟢 Medium — Code smells, style violations, minor improvements
⚪ Low — Suggestions, optimizations, documentation

Skills Used

• lint-js — ESLint integration for JavaScript/TypeScript
• lint-python — Pylint + Flake8 for Python code
• security-scan — Pattern matching for common vulnerabilities
• git-diff — Fetch and analyze Git diffs

Advanced Features

Learning Your Team's Style

The agent builds a team-specific knowledge base:

# memory/coding-standards.md

## Team Preferences
- Prefer functional components over class components (React)
- Always use async/await over Promise chains
- Require JSDoc comments for exported functions
- Discourage `any` type in TypeScript

GitHub PR Integration

With GITHUB_TOKEN configured:

You: Review PR #42 in myorg/myrepo

Agent: Posts review comments directly to the PR

Continuous Monitoring

Can be configured to monitor repositories and auto-review new commits.

Troubleshooting

Linter Not Found

Problem: "ESLint not found in PATH"
Solution: Install linter globally or add to workspace:

npm install -g eslint
# OR add to project
npm install --save-dev eslint

False Positives

Problem: Agent flags valid code as an issue
Solution: Add inline ignore comments or update TOOLS.md preferences

// eslint-disable-next-line no-unused-vars
const temp = expensiveComputation();

Slow Reviews

Problem: Large files take too long
Solution: Review in chunks or focus on changed lines only

Review only the function `processData` in utils.js

GitHub Rate Limits

Problem: "API rate limit exceeded"
Solution: Use authenticated token (5,000 req/hour vs 60 unauthenticated)

Security Notes

• Main session only — Code review tools (exec, file writes) only available to operator
• No DM/group reviews — Prevents untrusted code execution
• Sandboxed linting — Linters run in isolated environment
• Credentials never logged — API keys kept in environment only

Model Choice: Claude Opus

This agent uses Claude Opus for maximum reasoning capability:

• Deep semantic understanding of code architecture
• Multi-file context analysis
• Complex refactoring suggestions
• Security vulnerability detection requiring reasoning

For simpler linting-only reviews, you can switch to Sonnet in openhatch.yaml.

Extending the Agent

Add New Linters

Create skills for additional languages:

skills/lint-rust/
  ├── SKILL.md
  └── clippy.sh

Custom Rule Sets

Define project-specific rules in memory/rules.json:

{
  "rules": {
    "no-console": "warn",
    "max-complexity": 10
  }
}

Use Cases

• Pre-commit reviews — Catch issues before CI/CD
• PR automation — Auto-review pull requests
• Onboarding — Teach junior devs best practices
• Legacy code audits — Identify tech debt
• Security audits — Find vulnerabilities in codebases

Contributing

This is an OpenHatch template. To customize:

1. Fork this template
2. Modify AGENTS.md for different review focus
3. Add language-specific skills
4. Adjust SOUL.md for team culture fit

License

MIT — Free to use and modify

---

Ready to improve your code quality? Install now:

openhatch run @templates/code-reviewer