How to Automate GitHub PR Reviews with OpenClaw

What You'll Build

A fully automated PR review pipeline that:

1. Creates PRs with AI-generated descriptions from your commit history
2. Reviews code with AI-powered analysis that catches bugs, security issues, and style problems
3. Enforces commit conventions with Conventional Commits format
4. Provides actionable feedback as inline PR comments

By the end of this guide, you'll have a workflow where opening a PR automatically triggers an AI review — no manual intervention needed.

Why AI-Powered PR Review

Manual code review is essential, but it comes with real limitations that slow teams down:

• Inconsistent quality: Different reviewers catch different things. One person focuses on naming conventions while another looks at error handling. Without a systematic approach, important issues slip through depending on who reviews the PR that day.
• Reviewer fatigue: After reviewing several hundred lines of code, attention drops significantly. Studies show that review effectiveness decreases after about 60 minutes of continuous review. Critical bugs hide in the later parts of large diffs.
• Slow turnaround: Reviewers are busy with their own work. A PR might sit for hours or even days waiting for someone to look at it. This blocks the author, encourages large batched PRs, and creates merge conflicts.
• Scaling issues: As teams grow, the review bottleneck gets worse. Senior developers spend an increasing share of their time reviewing instead of building. New team members may not yet know the codebase well enough to catch subtle issues.

AI-powered review doesn't replace human reviewers — it handles the systematic checks (security patterns, common bugs, style violations) so human reviewers can focus on architecture, design decisions, and business logic. Think of it as a first pass that raises the baseline quality of every PR before a human even opens it.

Prerequisites

Before starting, make sure you have:

• OpenClaw installed and configured (Getting Started Guide)
• GitHub CLI (gh) installed and authenticated (gh auth login)
• A GitHub repository to test with (can be a personal project)
• Node.js 18+ for running clawhub commands

Step 1: Install the Required Skills

Install all three skills in order:

# 1. GitHub integration (foundation)
npx clawhub@latest install github

# 2. PR Reviewer (code analysis)
npx clawhub@latest install pr-reviewer

# 3. Conventional Commits (commit formatting)
npx clawhub@latest install conventional-commits

Verify installation:

clawhub list

You should see all three skills listed as installed.

Step 2: Configure GitHub Authentication

The GitHub skill needs a personal access token with the following scopes:

• repo — full repository access
• read:org — read organization membership (optional, for org repos)

If you've already authenticated with gh auth login, the skill will use your existing credentials. Otherwise:

# Check your current auth status
gh auth status

# Login if needed
gh auth login

Step 3: Set Up PR Reviewer

The PR Reviewer skill works out of the box, but you can customize its behavior:

# Review the default configuration
clawhub inspect pr-reviewer

Key configuration options:

• Review depth: quick (surface-level) or thorough (deep analysis)
• Focus areas: security, performance, style, bugs, or all
• Auto-comment: whether to post comments directly on the PR

Step 4: Create Your First Automated PR Review

Let's test the workflow with a real PR:

4.1 Create a Feature Branch

git checkout -b feature/test-ai-review

4.2 Make Some Changes

Edit a file in your project. For testing, try introducing common issues the reviewer can catch. Here are several examples across different problem categories:

Missing await (async bug):

// Bug: missing await on async call
function getUserData(userId) {
  const response = fetch(`/api/users/${userId}`);  // Missing await
  return response.json();  // TypeError: response.json is not a function
}

SQL injection vulnerability:

# Security: user input directly interpolated into SQL query
def get_user(user_id):
    query = f"SELECT * FROM users WHERE id = '{user_id}'"  # SQL injection risk
    return db.execute(query)

Hardcoded secret:

// Security: API key exposed in source code
const stripe = require('stripe')('sk_live_abc123secretkey');

N+1 query problem:

# Performance: N+1 query — fires one query per order
def get_orders_with_items(user_id):
    orders = Order.objects.filter(user_id=user_id)
    for order in orders:
        order.items = OrderItem.objects.filter(order_id=order.id)  # N+1!
    return orders

4.3 Commit with Conventional Commits

Instead of writing a commit message manually, let OpenClaw generate one:

git add .
# OpenClaw generates a conventional commit message
# e.g., "feat(api): add getUserData function for user data retrieval"

4.4 Create and Review the PR

# OpenClaw creates the PR with an AI-generated description
# Then PR Reviewer automatically analyzes the diff

Within seconds, you'll see:

• A well-formatted PR description summarizing your changes
• Inline review comments pointing out specific issues
• A summary comment with overall assessment and suggestions

Here's an example of what the AI review comments look like on your PR:

🔒 Security Issue (line 14, auth.py):
  User input is directly interpolated into an SQL query string.
  This is vulnerable to SQL injection attacks.
  Suggested fix: Use parameterized queries instead.

  - query = f"SELECT * FROM users WHERE id = '{user_id}'"
  + query = "SELECT * FROM users WHERE id = %s"
  + return db.execute(query, (user_id,))

⚡ Performance Issue (line 8, orders.py):
  N+1 query detected — OrderItem.objects.filter() is called
  once per order inside a loop. Use select_related() or
  prefetch_related() to batch this into a single query.

  - orders = Order.objects.filter(user_id=user_id)
  + orders = Order.objects.filter(user_id=user_id).prefetch_related('items')

🐛 Bug (line 3, api.js):
  fetch() returns a Promise but is not awaited.
  response.json() will fail because response is a
  pending Promise, not a Response object.

  - const response = fetch(`/api/users/${userId}`);
  + const response = await fetch(`/api/users/${userId}`);

Step 5: Customize the Review Workflow

Focus on Security

For security-critical repositories, configure PR Reviewer to prioritize security checks:

• SQL injection patterns
• Hardcoded credentials or API keys
• Insecure data handling (unvalidated input, missing sanitization)
• Dependency vulnerabilities
• Cross-site scripting (XSS) vectors in frontend code
• Insecure deserialization patterns

Performance-Focused Review

For performance-sensitive services, instruct the reviewer to focus on performance patterns. For React projects specifically, the reviewer catches patterns like unnecessary re-renders:

// Performance: new object reference on every render causes child re-renders
function ParentComponent({ items }) {
  return (
    <ChildComponent
      style={{ margin: 10 }}        // New object every render
      onClick={() => doSomething()}  // New function every render
    />
  );
}

Team-Wide Setup

Share the configuration across your team:

1. Export your skill configuration to a .openclaw/ directory in your repo
2. Commit it to the repository
3. Team members install with the same config — the skills pick up project-level configuration automatically

Advanced: Guiding the Review Focus

You can tailor the review focus by providing instructions to the PR Reviewer skill. The skill uses AI to analyze diffs, so you can direct its attention through natural language prompts.

Language-Specific Guidance

When running a review, tell the agent what to focus on:

• Python: check for bare except: blocks, missing type hints, Django ORM N+1 queries
• JavaScript/TypeScript: flag leftover console.log, missing await on async calls, hardcoded secrets
• Rust: flag .unwrap() in production code, suggest proper Result handling

Per-Directory Focus

Direct the reviewer to apply different scrutiny levels:

• Core business logic (src/core/) — thorough review covering security, bugs, and performance
• Test files (src/tests/) — quick check for correctness only
• Documentation (docs/) — light style review
• Scripts (scripts/) — focus on security and bugs

Custom Patterns

Ask the reviewer to flag project-specific patterns, such as:

• Direct database access in API routes instead of using the repository layer
• Page components missing error boundaries
• API endpoints without rate limiting

Integration with CI/CD

For fully automated reviews on every PR, integrate OpenClaw's PR Reviewer into your CI/CD pipeline.

GitHub Actions

Create a workflow file at .github/workflows/ai-review.yml:

name: AI PR Review
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  ai-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install OpenClaw and skills
        run: |
          npm install -g clawhub@latest
          clawhub install pr-reviewer

      - name: Run AI Review
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          OPENCLAW_API_KEY: ${{ secrets.OPENCLAW_API_KEY }}
        run: |
          clawhub run pr-reviewer \
            --pr ${{ github.event.pull_request.number }} \
            --repo ${{ github.repository }} \
            --auto-comment

Controlling When Reviews Run

You can limit AI review to specific conditions to save costs:

on:
  pull_request:
    types: [opened, synchronize]
    paths-ignore:
      - '*.md'
      - 'docs/**'
      - '.github/**'

Or require a label before reviewing:

- name: Check for review label
  if: contains(github.event.pull_request.labels.*.name, 'ai-review')
  run: clawhub run pr-reviewer --pr ${{ github.event.pull_request.number }}

Other CI Platforms

The same approach works on any CI platform that supports Node.js. The key steps are:

1. Install clawhub and the pr-reviewer skill
2. Set OPENCLAW_API_KEY as a secret environment variable
3. Pass the PR number and repository to the review command
4. Ensure the CI bot has write permissions on pull requests

Real-World Results

Teams using this workflow typically see:

• 40% faster PR turnaround — AI catches obvious issues before human review
• Consistent review quality — every PR gets the same thorough analysis
• Better commit history — Conventional Commits make changelogs automatic
• Fewer bugs in production — AI catches issues humans might miss

Troubleshooting

"GitHub CLI not found"

Make sure gh is installed and in your PATH:

# macOS
brew install gh

# Linux
sudo apt install gh

# Windows
winget install GitHub.cli

"Permission denied" on PR creation

Check your token scopes:

gh auth status

Ensure the repo scope is included. Re-authenticate if needed:

gh auth login --scopes repo

PR Reviewer not commenting

Verify the skill is installed and configured:

clawhub inspect pr-reviewer

Check that your OpenClaw AI provider is configured and has available credits.