Code Review And Quality
Run a structured five-axis review with merge gates before any PR or agent-generated change lands.
Overview
code-review-and-quality is an agent skill most often used in Ship (also Build, Operate) that runs multi-axis review across correctness, readability, architecture, security, and performance before merge.
Install
npx skills add https://github.com/addyosmani/agent-skills --skill code-review-and-qualityWhat is this skill?
- Five-axis review: correctness, readability, architecture, security, performance
- No-exceptions merge policy—every change reviewed before main
- Approval bar: improve overall code health; don’t block on non-perfect style preferences
- Explicit triggers: post-feature, refactors, bug fixes with regression test scrutiny
- Five review axes: correctness, readability, architecture, security, performance
- Merge policy: review every change with no exceptions
Adoption & trust: 6.3k installs on skills.sh; 49.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are about to merge agent- or human-written code without a consistent checklist for correctness, security, and architectural drift.
Who is it for?
Solo builders merging PRs or agent patches who want the same review ritual every time—including edge cases and error paths.
Skip if: Greenfield exploration with no merge intent, or when you only need lint autofix without architectural judgment.
When should I use this skill?
Before merging any PR or change; after feature implementation; when reviewing agent- or human-written code; when refactoring; after bug fixes.
What do I get? / Deliverables
You get a five-axis review with an explicit approve-or-block decision aligned to continuous improvement rather than perfectionism.
- Five-axis review notes
- Approve or block recommendation with rationale
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship/review because the skill’s contract is “before merging”—the quality gate at the end of delivery. Review subphase is where multi-dimensional critique and approval standards belong, not during initial scaffolding.
Where it fits
After an agent finishes an API feature, review correctness and error paths before opening a PR.
Run the five-axis checklist on a PR right before merge to main.
After a bug fix, review both the patch and whether tests actually assert the regression.
Evaluate a hotfix branch for security and performance impact before redeploying.
How it compares
Structured review ritual with approval philosophy—not a single-purpose linter or formatter skill.
Common Questions / FAQ
Who is code-review-and-quality for?
Developers and agent operators who merge their own or others’ code and need a consistent quality gate before main.
When should I use code-review-and-quality?
Before merging any change; after feature work in Build; during Ship review; and after bug fixes in Operate when you must validate fixes and regression tests.
Is code-review-and-quality safe to install?
It is procedural guidance only—check Security Audits on this page for the skill package; the skill does not execute code on your repo by itself.
SKILL.md
READMESKILL.md - Code Review And Quality
# Code Review and Quality ## Overview Multi-dimensional code review with quality gates. Every change gets reviewed before merge — no exceptions. Review covers five axes: correctness, readability, architecture, security, and performance. **The approval standard:** Approve a change when it definitely improves overall code health, even if it isn't perfect. Perfect code doesn't exist — the goal is continuous improvement. Don't block a change because it isn't exactly how you would have written it. If it improves the codebase and follows the project's conventions, approve it. ## When to Use - Before merging any PR or change - After completing a feature implementation - When another agent or model produced code you need to evaluate - When refactoring existing code - After any bug fix (review both the fix and the regression test) ## The Five-Axis Review Every review evaluates code across these dimensions: ### 1. Correctness Does the code do what it claims to do? - Does it match the spec or task requirements? - Are edge cases handled (null, empty, boundary values)? - Are error paths handled (not just the happy path)? - Does it pass all tests? Are the tests actually testing the right things? - Are there off-by-one errors, race conditions, or state inconsistencies? ### 2. Readability & Simplicity Can another engineer (or agent) understand this code without the author explaining it? - Are names descriptive and consistent with project conventions? (No `temp`, `data`, `result` without context) - Is the control flow straightforward (avoid nested ternaries, deep callbacks)? - Is the code organized logically (related code grouped, clear module boundaries)? - Are there any "clever" tricks that should be simplified? - **Could this be done in fewer lines?** (1000 lines where 100 suffice is a failure) - **Are abstractions earning their complexity?** (Don't generalize until the third use case) - Would comments help clarify non-obvious intent? (But don't comment obvious code.) - Are there dead code artifacts: no-op variables (`_unused`), backwards-compat shims, or `// removed` comments? ### 3. Architecture Does the change fit the system's design? - Does it follow existing patterns or introduce a new one? If new, is it justified? - Does it maintain clean module boundaries? - Is there code duplication that should be shared? - Are dependencies flowing in the right direction (no circular dependencies)? - Is the abstraction level appropriate (not over-engineered, not too coupled)? ### 4. Security For detailed security guidance, see `security-and-hardening`. Does the change introduce vulnerabilities? - Is user input validated and sanitized? - Are secrets kept out of code, logs, and version control? - Is authentication/authorization checked where needed? - Are SQL queries parameterized (no string concatenation)? - Are outputs encoded to prevent XSS? - Are dependencies from trusted sources with no known vulnerabilities? - Is data from external sources (APIs, logs, user content, config files) treated as untrusted? - Are external data flows validated at system boundaries before use in logic or rendering? ### 5. Performance For detailed profiling and optimization, see `performance-optimization`. Does the change introduce performance problems? - Any N+1 query patterns? - Any unbounded loops or unconstrained data fetching? - Any synchronous operations that should be async? - Any unnecessary re-renders in UI components? - Any missing pagination on list endpoints? - Any large objects created in hot paths? ## Change Sizing Small, focused changes are easier to review, faster to merge, and safer to deploy. Target these sizes: ``` ~100 lines changed → Good.