Code Review
Run a structured backend code review on Python, FastAPI, and async repos with grep-backed security and pattern checks.
Overview
code-review is an agent skill most often used in Ship (also Build backend, Operate iterate) that adds Python/FastAPI/async backend checks to a structured review summary.
Install
npx skills add https://github.com/llama-farm/llamafarm --skill code-reviewWhat is this skill?
- Six added summary categories: Security (Backend), FastAPI Patterns, Pydantic Validation, Async Patterns, Error Handling,
- Critical grep patterns for SQL injection, path traversal, and SSRF with pass criteria
- Severity ladder: Critical for injection/traversal; High for SSRF and related backend risks
- ORM vs raw SQL expectations: parameterized statements or ORM only
- Allowlist guidance for user-controlled outbound HTTP (requests, httpx, aiohttp)
- 6 backend summary categories added to the review table
- Critical severity for SQL injection and path traversal failures
- High severity for SSRF when URLs are user-controlled
Adoption & trust: 1.2k installs on skills.sh; 829 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
Generic review skills miss backend-specific failure modes like raw SQL concatenation, unsafe file paths, and SSRF in async Python APIs.
Who is it for?
Indie API builders on FastAPI/Pydantic who want repeatable grep-driven review gates before merge.
Skip if: Pure frontend or non-Python repos; teams needing full SAST/DAST platforms instead of checklist-guided agent review.
When should I use this skill?
Reviewing Python/FastAPI/async backend changes and you need domain-specific security and framework checklist items.
What do I get? / Deliverables
You get a review summary augmented with backend security and framework categories, each finding tagged with documented severity when patterns fail pass criteria.
- Review summary table rows per backend category
- Findings labeled Critical, High, or pass per checklist criteria
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
The checklist is framed as review with severity tiers—canonical placement is Ship before merge or release. It extends a summary review table with backend-specific categories (Security, FastAPI, Pydantic, Async, ORM)—classic pre-ship code review work.
Where it fits
Add Security (Backend) and FastAPI rows to the PR review table before approving merge.
Scan new route handlers for SSRF when URLs come from request params.
Re-run path-traversal grep patterns after a file-upload bug report.
How it compares
Backend checklist module for agent-led review—not a standalone MCP linter or auto-fix bot.
Common Questions / FAQ
Who is code-review for?
Solo and small-team backend developers using agents to review Python, FastAPI, and async code before shipping.
When should I use code-review?
In Ship review before PR merge; during Build backend when hardening new endpoints; in Operate iterate after incidents to re-scan for injection, traversal, or SSRF patterns.
Is code-review safe to install?
The skill recommends read-only grep searches; confirm your agent’s filesystem scope and review Security Audits on this Prism page.
SKILL.md
READMESKILL.md - Code Review
# Backend Review Checklist Domain-specific review items for Python, FastAPI, and async codebases. Add these categories to the summary table: - Security (Backend) - FastAPI Patterns - Pydantic Validation - Async Patterns - Error Handling (Backend) - Database/ORM --- ## Category: Security (Backend) ### SQL Injection **Search patterns**: ```bash # Raw SQL with string formatting grep -rE "execute\(.*%|execute\(.*\.format\(|execute\(.*f['\"]" --include="*.py" # String concatenation in queries grep -rE "SELECT.*\+|INSERT.*\+|UPDATE.*\+|DELETE.*\+" --include="*.py" ``` **Pass criteria**: All queries use parameterized statements or ORM **Severity**: Critical --- ### Path Traversal **Search patterns**: ```bash # Unsanitized file paths grep -rE "open\(.*\+|Path\(.*\+|os\.path\.join\(.*request" --include="*.py" # Direct user input in file operations grep -rE "with open\(|\.read\(|\.write\(" --include="*.py" -B 3 | grep -E "request\.|params\.|query\." ``` **Pass criteria**: All file paths validated and sanitized **Severity**: Critical --- ### SSRF (Server-Side Request Forgery) **Search patterns**: ```bash # HTTP requests with user-controlled URLs grep -rE "requests\.(get|post|put|delete)\(.*request\.|httpx\.(get|post)\(.*request\." --include="*.py" # aiohttp with user input grep -rE "session\.(get|post)\(" --include="*.py" -B 5 | grep -E "request\.|params\." ``` **Pass criteria**: All external URLs validated against allowlist **Severity**: High --- ### Insecure Deserialization **Search patterns**: ```bash # Pickle usage grep -rE "pickle\.(load|loads)\(|cPickle\." --include="*.py" # YAML unsafe load (must use SafeLoader or safe_load) grep -rE "yaml\.load\(" --include="*.py" | grep -v "Loader=SafeLoader\|Loader=yaml\.SafeLoader\|safe_load" ``` **Pass criteria**: No pickle with untrusted data; YAML uses safe_load **Severity**: Critical --- ### Weak Cryptography **Search patterns**: ```bash # MD5/SHA1 for passwords grep -rE "md5\(|sha1\(" --include="*.py" | grep -iE "password|secret|token" # Hardcoded crypto keys grep -rE "key\s*=\s*['\"][^'\"]{8,}" --include="*.py" ``` **Pass criteria**: Use bcrypt/argon2 for passwords; no hardcoded keys **Severity**: High --- ## Category: FastAPI Patterns ### Missing response_model **Search patterns**: ```bash # Routes without response_model grep -rE "@(app|router)\.(get|post|put|patch|delete)\(" --include="*.py" | grep -v "response_model" ``` **Pass criteria**: All endpoints have explicit response_model **Severity**: Medium --- ### Untyped Request Bodies **Search patterns**: ```bash # Route handlers with untyped parameters (missing Pydantic models) grep -rE "@(app|router)\.(post|put|patch)\(" --include="*.py" -A 3 | grep -E "def\s+\w+\([^)]*:\s*(dict|Dict|Any)\b" # Body() without type annotation grep -rE "Body\(\.\.\.\)" --include="*.py" # Parameters with generic dict type in route handlers grep -rE "def\s+\w+\([^)]*:\s*dict\b" --include="*.py" ``` **Pass criteria**: All request bodies have Pydantic model types **Severity**: High --- ### Missing Status Codes **Search patterns**: ```bash # POST without 201, DELETE without 204 grep -rE "@(app|router)\.post\(" --include="*.py" | grep -v "status_code" grep -rE "@(app|router)\.delete\(" --include="*.py" | grep -v "status_code" ``` **Pass criteria**: Appropriate HTTP status codes for each operation **Severity**: Low --- ### Sync Functions in Async Routes **Search patterns**: ```bash # Async route calling sync functions grep -rE "async def.*:" --include="*.py" -A 20 | grep -E "time\.sleep|requests\.(get|post)|open\(" ``` **Pass criteria**: Async routes use async I/O (httpx, aiofiles, asyncio.sleep) **Severity**: High --- ### Missing Dependency Injection **Search patterns**: ```bash # Direct instantiation in routes grep -rE "def\s+\w+\(" --include="*.py" -A 10 | grep -E "^\s+\w+\s*=\s*\w+Service\(|^\s+\w+\s*=\s*\w+Repository\(" ``` **Pass criteria**: Services/repos injected via Depends() **Severity**: Medium ---