Code Reviewer

Name: Code Reviewer
Author: jeffallan

jeffallan/claude-skills·MIT

Run a single-pass senior-style review on PRs and file changes to catch bugs, security issues, smells, and architecture problems before merge.

Overview

Code Reviewer is an agent skill most often used in Ship (also Build architecture checks) that analyzes diffs and files to produce a prioritized review report covering bugs, security, performance, and maintainability.

Install

npx skills add https://github.com/jeffallan/claude-skills --skill code-reviewer

What is this skill?

Core workflow: Context → Change analysis → Security → Performance → Quality → Tests → Architecture → Report
Broad-scope review: SQL injection, XSS, insecure deserialization, N+1 queries, naming, and architectural concerns
Produces a structured report with prioritized, actionable feedback (report output-format)
Complements security-reviewer and test-master for specialists while covering maintainability and coverage in one pass
Triggers on code review, PR review, pull request, review code, and code quality phrases
8-step core workflow from Context through Architecture to Report
Broad vulnerability coverage including SQL injection, XSS, and insecure deserialization

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 3.6k installs on skills.sh; 9.7k GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are about to merge agent-written or rushed solo code without a consistent pass for security, smells, and test gaps.

Who is it for?

Indie devs reviewing PRs, conducting code quality audits, or validating architecture on small teams of one.

Skip if: Fully automated CI policy enforcement without human judgment, or when you only need deep pen-testing (prefer a dedicated security-reviewer skill).

When should I use this skill?

Reviewing pull requests, conducting code quality audits, identifying refactoring opportunities, checking security vulnerabilities, or validating architectural decisions.

What do I get? / Deliverables

You get a structured, prioritized review report with concrete fixes so you can merge confidently or send work back for refactor.

Structured code review report with prioritized actionable feedback
Security, performance, quality, test, and architecture findings grouped for follow-up

Recommended Skills

Improve Codebase Architecturemattpocock/skills

Improve Codebase Architecture is an agent skill that teaches how to deepen a cluster of shallow modules without breaking…226k installs·121k stars

Zoom Outmattpocock/skills

Lightweight meta-prompt skill that tells the agent to zoom out and deliver a domain-aligned overview of modules and call…181k installs·121k stars

Caveman Reviewjuliusbrussee/caveman

Formats code review as single actionable lines: location, problem, fix, with minimal noise.139k installs·70k stars

Requesting Code Reviewobra/superpowers

Requesting Code Review is an agent skill from the Superpowers collection that gives solo and indie builders a copy-ready…119k installs·221k stars

Receiving Code Reviewobra/superpowers

Superpowers methodology for agents receiving code review: prioritize technical correctness over social comfort, verify e…96.2k installs·221k stars

Request Refactor Planmattpocock/skills

request-refactor-plan is a structured agent workflow for solo and small-team maintainers who want refactors filed as act…30.5k installs·121k stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Shipping safely depends on structured review of diffs and intent right before launch prep. Review subphase is the canonical shelf for PR audits, quality gates, and actionable feedback reports.

Also useful

BuildProject management & tracking

Also useful

ShipSecurity

Where it fits

Example use

ShipCode review

Run a full pass on a feature branch before merging your weekend SaaS shipping.

Example use

ShipSecurity

Flag SQL injection and XSS patterns in agent-generated API handlers.

Example use

BuildBackend, data & payments

Validate whether a new service boundary matches the stated PR problem.

Example use

GrowSupport & community

Review a hotfix diff for regressions before pushing to paying users.

How it compares

Broad single-pass review report skill, not a deploy pipeline or MCP server integration.

Common Questions / FAQ

Who is code-reviewer for?

Solo builders and small teams who want thorough, constructive PR and file reviews from their coding agent without hiring a reviewer for every change.

When should I use code-reviewer?

In Ship during PR review and pre-merge audits; in Build when checking architectural decisions; anytime you need refactoring suggestions or security smell detection on changed files.

Is code-reviewer safe to install?

Metadata limits tools to Read, Grep, and Glob—no arbitrary shell—but you should still review the Security Audits panel on this Prism page before installing third-party skills.

SKILL.md

READMESKILL.md - Code Reviewer

# Code Reviewer

Senior engineer conducting thorough, constructive code reviews that improve quality and share knowledge.

## When to Use This Skill

- Reviewing pull requests
- Conducting code quality audits
- Identifying refactoring opportunities
- Checking for security vulnerabilities
- Validating architectural decisions

## Core Workflow

1. **Context** — Read PR description, understand the problem being solved. **Checkpoint:** Summarize the PR's intent in one sentence before proceeding. If you cannot, ask the author to clarify.
2. **Structure** — Review architecture and design decisions. Ask: Does this follow existing patterns in the codebase? Are new abstractions justified?
3. **Details** — Check code quality, security, and performance. Apply the checks in the Reference Guide below. Ask: Are there N+1 queries, hardcoded secrets, or injection risks?
4. **Tests** — Validate test coverage and quality. Ask: Are edge cases covered? Do tests assert behavior, not implementation?
5. **Feedback** — Produce a categorized report using the Output Template. If critical issues are found in step 3, note them immediately and do not wait until the end.

> **Disagreement handling:** If the author has left comments explaining a non-obvious choice, acknowledge their reasoning before suggesting an alternative. Never block on style preferences when a linter or formatter is configured.

## Reference Guide

Load detailed guidance based on context:

<!-- Spec Compliance and Receiving Feedback rows adapted from obra/superpowers by Jesse Vincent (@obra), MIT License -->

| Topic | Reference | Load When |
|-------|-----------|-----------|
| Review Checklist | `references/review-checklist.md` | Starting a review, categories |
| Common Issues | `references/common-issues.md` | N+1 queries, magic numbers, patterns |
| Feedback Examples | `references/feedback-examples.md` | Writing good feedback |
| Report Template | `references/report-template.md` | Writing final review report |
| Spec Compliance | `references/spec-compliance-review.md` | Reviewing implementations, PR review, spec verification |
| Receiving Feedback | `references/receiving-feedback.md` | Responding to review comments, handling feedback |

## Review Patterns (Quick Reference)

### N+1 Query — Bad vs Good
```python
# BAD: query inside loop
for user in users:
    orders = Order.objects.filter(user=user)  # N+1

# GOOD: prefetch in bulk
users = User.objects.prefetch_related('orders').all()
```

### Magic Number — Bad vs Good
```python
# BAD
if status == 3:
    ...

# GOOD
ORDER_STATUS_SHIPPED = 3
if status == ORDER_STATUS_SHIPPED:
    ...
```

### Security: SQL Injection — Bad vs Good
```python
# BAD: string interpolation in query
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# GOOD: parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
```

## Constraints

### MUST DO
- Summarize PR intent before rev

What is this skill?

Core workflow: Context → Change analysis → Security → Performance → Quality → Tests → Architecture → Report

Broad-scope review: SQL injection, XSS, insecure deserialization, N+1 queries, naming, and architectural concerns

Produces a structured report with prioritized, actionable feedback (report output-format)

Complements security-reviewer and test-master for specialists while covering maintainability and coverage in one pass

Triggers on code review, PR review, pull request, review code, and code quality phrases

8-step core workflow from Context through Architecture to Report

Broad vulnerability coverage including SQL injection, XSS, and insecure deserialization

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 3.6k installs on skills.sh; 9.7k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Shipping safely depends on structured review of diffs and intent right before launch prep. Review subphase is the canonical shelf for PR audits, quality gates, and actionable feedback reports.

Also useful

BuildProject management & tracking

Also useful

ShipSecurity

Where it fits

Example use

ShipCode review

Run a full pass on a feature branch before merging your weekend SaaS shipping.

Example use

ShipSecurity

Flag SQL injection and XSS patterns in agent-generated API handlers.

Example use

BuildBackend, data & payments

Validate whether a new service boundary matches the stated PR problem.

Example use

GrowSupport & community

Review a hotfix diff for regressions before pushing to paying users.

SKILL.md

READMESKILL.md - Code Reviewer

# Code Reviewer

Senior engineer conducting thorough, constructive code reviews that improve quality and share knowledge.

## When to Use This Skill

- Reviewing pull requests
- Conducting code quality audits
- Identifying refactoring opportunities
- Checking for security vulnerabilities
- Validating architectural decisions

## Core Workflow

1. **Context** — Read PR description, understand the problem being solved. **Checkpoint:** Summarize the PR's intent in one sentence before proceeding. If you cannot, ask the author to clarify.
2. **Structure** — Review architecture and design decisions. Ask: Does this follow existing patterns in the codebase? Are new abstractions justified?
3. **Details** — Check code quality, security, and performance. Apply the checks in the Reference Guide below. Ask: Are there N+1 queries, hardcoded secrets, or injection risks?
4. **Tests** — Validate test coverage and quality. Ask: Are edge cases covered? Do tests assert behavior, not implementation?
5. **Feedback** — Produce a categorized report using the Output Template. If critical issues are found in step 3, note them immediately and do not wait until the end.

> **Disagreement handling:** If the author has left comments explaining a non-obvious choice, acknowledge their reasoning before suggesting an alternative. Never block on style preferences when a linter or formatter is configured.

## Reference Guide

Load detailed guidance based on context:

<!-- Spec Compliance and Receiving Feedback rows adapted from obra/superpowers by Jesse Vincent (@obra), MIT License -->

| Topic | Reference | Load When |
|-------|-----------|-----------|
| Review Checklist | `references/review-checklist.md` | Starting a review, categories |
| Common Issues | `references/common-issues.md` | N+1 queries, magic numbers, patterns |
| Feedback Examples | `references/feedback-examples.md` | Writing good feedback |
| Report Template | `references/report-template.md` | Writing final review report |
| Spec Compliance | `references/spec-compliance-review.md` | Reviewing implementations, PR review, spec verification |
| Receiving Feedback | `references/receiving-feedback.md` | Responding to review comments, handling feedback |

## Review Patterns (Quick Reference)

### N+1 Query — Bad vs Good
```python
# BAD: query inside loop
for user in users:
    orders = Order.objects.filter(user=user)  # N+1

# GOOD: prefetch in bulk
users = User.objects.prefetch_related('orders').all()
```

### Magic Number — Bad vs Good
```python
# BAD
if status == 3:
    ...

# GOOD
ORDER_STATUS_SHIPPED = 3
if status == ORDER_STATUS_SHIPPED:
    ...
```

### Security: SQL Injection — Bad vs Good
```python
# BAD: string interpolation in query
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# GOOD: parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
```

## Constraints

### MUST DO
- Summarize PR intent before rev

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is code-reviewer for?

When should I use code-reviewer?

Is code-reviewer safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is code-reviewer for?

When should I use code-reviewer?

Is code-reviewer safe to install?

SKILL.md