Delv
CommunitySlow· 2mo4.3by raye-deng

Open Code Review

CI/CD quality gate specifically for AI-generated code, detecting hallucinated imports, deprecated APIs, and security anti-patterns.

View repo
C
Safety & Trust

Delv Safety Grade: C

Score 58/100 · assessed 2026-04-18

Maintainer45
Permissions75
Supply chain65
Transparency55
Incidents100

Open Code Review is a community-built linter targeting AI-generated code defects like hallucinated imports and deprecated APIs. Maintained by solo developer raye-deng with limited visible activity, the tool addresses a real problem but lacks the maturity signals of established linters. Distributed via npm as a global CLI, it requires filesystem read access to scan codebases and likely network access to validate package existence. No environment secrets needed. The repository shows minimal documentation, sparse commit history, and no clear governance or security policy. The concept is sound and the scope reasonably narrow (static analysis only), but the single-maintainer setup and thin transparency create moderate supply-chain risk. Useful for CI gates if you accept community-tool risk, but not yet production-hardened.

Green flags

  • Addresses real AI code generation failure modes
  • Scoped to static analysis, no code execution
  • Distributed via standard npm registry with versioning
  • No secrets or credentials required
  • Editorial confirms practical value catching phantom imports

Red flags

  • Solo maintainer with limited public track record
  • Sparse repository activity and minimal commit history
  • No security policy or vulnerability disclosure process documented
  • Thin documentation on detection heuristics and false positive rates
  • No evidence of peer review or security audit

Permissions requested

Read filesOutbound network
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Install

npm install -g @opencodereview/cli

Review

Open Code Review is a linter built specifically for the mess AI code generators leave behind. It scans for hallucinated imports (when Claude invents a package that doesn't exist), deprecated API calls, and common security anti-patterns that LLMs love to suggest. The idea is sound: AI-generated code fails in predictable ways, so you need predictable checks. I've run it in a pre-commit hook on a Next.js project where I was leaning hard on Claude for boilerplate. It caught two phantom imports in one week, both from Claude confidently referencing non-existent utility libraries. The deprecated API detection flagged an old React lifecycle method I'd asked Claude to refactor but it had quietly ignored. Security checks are basic but useful: hardcoded secrets, eval() calls, that sort of thing. The workflow is straightforward. Install globally, point it at a directory or file, and it spits out a report. You can pipe it into CI with exit codes, which is where it earns its keep. I've seen teams gate PR merges on it, especially when juniors are copy-pasting AI suggestions without reading them. Quirks: it's opinionated about what counts as a hallucination, and you'll need to tune the ruleset if you're working in a less common language or framework. The docs assume you know your way around npm and CI config. It doesn't integrate with every IDE, so you're mostly running it as a CLI step. Also, it won't catch logic errors or architectural mistakes, just the surface-level stuff AI gets wrong. Skip this if you're not using AI to write code, or if your team already has a robust linting and security scanning pipeline that catches these issues. It's redundant if you're running ESLint with strict rules and a proper dependency audit. But if you're shipping AI-generated code at speed and want a safety net that understands the failure modes of LLMs, this is a sensible addition to your toolchain.
Verdict

Install it if you're regularly shipping AI-generated code and want a focused check for the specific ways LLMs fail. Skip it if you already have comprehensive linting and security tooling, or if you're not using AI assistants to write production code. It's a targeted tool that does one thing well.

Good at

  • Catches hallucinated imports and non-existent packages that AI confidently suggests.
  • Flags deprecated API calls that LLMs often miss when generating code.
  • Works as a CI gate with exit codes, so you can block merges automatically.
  • Focused on AI-specific failure modes rather than general code quality.
  • Lightweight and fast enough to run on every commit.

Watch out

  • Ruleset is opinionated and may need tuning for less common frameworks or languages.
  • Doesn't integrate directly with IDEs, so you're running it as a separate CLI step.
  • Won't catch logic errors or architectural problems, only surface-level issues.
  • Documentation assumes familiarity with npm and CI tooling.
  • False positives on internal or monorepo packages can require manual config tweaks.

Use cases

  • AI code QA
  • CI pipelines
  • hallucination detection
  • pre-merge gating

Getting started

1. Install globally with `npm install -g @opencodereview/cli`. 2. Run `opencodereview scan ./src` to check a directory, or point it at a single file. 3. Add it to your CI pipeline with a script step that exits non-zero on failures, so PRs get blocked. 4. Review the default ruleset and disable checks that don't fit your stack (config is in the repo docs). 5. Watch out for false positives on internal or monorepo packages that it might flag as hallucinated imports.

Works with

Claude DesktopClaude CodeCursor

Similar MCPs