Code Review
Let Cuttlefish be your Code Review partner — automatically scan PRs, catch security issues, suggest improvements, and even post review comments directly on GitHub.
Scenario Description
Every PR requires a time-consuming code review. Let Hermes Agent handle the first pass automatically: security checks, style review, logic analysis. You only need to look at it personally when there are significant findings.
Prerequisites
- ✅ GitHub CLI (
gh) installed and authenticated - ✅
github-code-reviewskill installed - ✅ Project cloned locally
Step 1: Install the Skill
# Check if the skill is installed
/skills
# If not, install it
hermes skills install github-code-reviewStep 2: Trigger a Manual Review
You: Help me review the latest PR #42
Hermes: [Loading github-code-review skill]
[Analyzing git diff...]
[Scanning for security issues...]
[Generating review report...]
PR #42 review complete:
🔴 1 security issue: SQL injection risk (line 45)
🟡 2 suggestions: Error handling could be more robust
🟢 Code style is good, test coverage is solidReview Example: Security Issue Detection
Suppose the PR contains the following code:
# Code in PR #42 (problematic)
def get_user(user_id):
query = f"SELECT * FROM users WHERE id = {user_id}"
return db.execute(query)Hermes will identify and report:
🔴 Security Issue [Line 45]
SQL string concatenation has injection risk. Use parameterized queries:
query = "SELECT * FROM users WHERE id = ?"
return db.execute(query, (user_id,))Review Example: Performance Optimization
🟡 Performance Suggestion [Lines 78-82]
N+1 query pattern detected. db.get_profile() is called inside a loop.
Consider batch querying instead:
profiles = db.get_profiles_batch(user_ids=[u.id for u in users])💡 Hermes provides specific fix suggestions and code examples in the review report, not just the problem description.
Step 3: Post Comments Automatically
You: Submit the review results as review comments on PR #42
Hermes: [Calling gh API to submit review comments...]
Posted 3 inline comments on PR #42.Step 4: Set Up Automated Reviews
Use GitHub Webhooks or Cron to automate reviews:
Option A: Cron-Based Scheduled Reviews
You: Create a scheduled task —
Every morning at 9 AM, check all new PRs in the hello-hermes repo,
automatically run Code Review on each and post comments.
Hermes: [Creating cron task]
Created: Automatically review new PRs in fxbin/hello-hermes daily at 09:00
Delivery channel: Feishu / TelegramAfter configuration, the daily review flow:
09:00 → Hermes checks for new PRs
→ Runs a full review on each PR
→ Posts inline comments on the PR
→ Sends a summary notification via Feishu/TelegramOption B: Webhook-Based Real-Time Reviews
Add Hermes's callback URL in the repo's Settings → Webhooks. Reviews are triggered automatically whenever a new PR is created.
⚠️ The Webhook approach requires the Hermes Gateway to be running and publicly accessible. If that's not feasible, use the Cron approach instead.
Review Dimensions
| Dimension | What It Checks |
|---|---|
| 🔴 Security | SQL injection, XSS, hardcoded secrets, privilege bypass |
| 🟡 Performance | N+1 queries, memory leaks, unnecessary loops |
| 🟡 Maintainability | Overly long functions, duplicated code, missing comments |
| 🟢 Style | Naming conventions, code formatting, type annotations |
Advanced Tips
- Auto-generated PR descriptions: Let Cuttlefish write PR descriptions based on the diff
- Mandatory pre-merge reviews: Trigger Hermes reviews via GitHub Actions
- Per-repo custom rules: Add project-specific review rules in SKILL.md
Further Reading
- github-code-review skill source — Built-in code review skill
- Chapter 6: Skill System