Code Review Pro
Run a structured security, performance, and maintainability review on code the user asks you to audit or improve.
Overview
Code Review Pro is an agent skill most often used in Ship review (also Build integrations and Operate iterate) that runs security, performance, and maintainability analysis on submitted code.
Install
npx skills add https://github.com/onewave-ai/claude-skills --skill code-review-proWhat is this skill?
- Prioritizes security analysis: injection, XSS, authz, secrets, CSRF, crypto, and dependency risks
- Performance pass covers N+1 queries, algorithmic cost, leaks, re-renders, indexes, and caching
- Maintainability review targets duplication, complexity, naming, and refactoring opportunities
- Activates on explicit review, audit, performance analysis, or bug-hunting requests
- Structured multi-category pass instead of ad-hoc stylistic nitpicks
- Three review pillars: security, performance, and code quality/maintainability
Adoption & trust: 2.3k installs on skills.sh; 172 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are about to ship changes but lack a consistent checklist for security holes, performance traps, and messy code your agent should catch first.
Who is it for?
Solo developers requesting a thorough human-style audit when merging features, hardening APIs, or tuning hot paths without a formal review board.
Skip if: Teams that only want formatting or linter output, automated SAST/DAST replacement, or reviews of non-code assets like marketing copy.
When should I use this skill?
User requests code review, security audit, performance analysis, refactoring suggestions, or asks to review or audit code.
What do I get? / Deliverables
You receive a prioritized review spanning critical security issues, performance bottlenecks, and refactor suggestions you can fix before merge or deploy.
- Prioritized findings across security, performance, and maintainability
- Concrete refactoring and hardening recommendations
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Formal review is canonically part of Ship, but the same checklist applies whenever code changes before release or in production fixes. The skill’s primary shelf is pre-release code review and quality gates in the review subphase.
Where it fits
Run a security-first pass on a pull request before tagging a release candidate.
Review new API routes for injection risks and N+1 queries while the feature is still in development.
Audit a hotfix branch for regressions and missing input validation after a production incident.
How it compares
Use for guided multi-category review in chat—not as a substitute for dependency scanners, CI linters, or pen-test engagements.
Common Questions / FAQ
Who is code-review-pro for?
Solo and indie builders using Claude-family agents who want structured security, performance, and quality feedback on code they paste or point to in the repo.
When should I use code-review-pro?
Use it in Ship before release for review gates, in Build when finishing a feature branch, and in Operate when diagnosing risky patches—whenever you ask for a code review, security audit, or performance analysis.
Is code-review-pro safe to install?
Review the Security Audits panel on this Prism page; the skill analyzes code you provide and does not inherently require network access, but pasted secrets in snippets are still your responsibility to redact.
SKILL.md
READMESKILL.md - Code Review Pro
# Code Review Pro Deep code analysis covering security, performance, maintainability, and best practices. ## When to Use This Skill Activate when the user: - Asks for a code review - Wants security vulnerability scanning - Needs performance analysis - Asks to "review this code" or "audit this code" - Mentions finding bugs or improvements - Wants refactoring suggestions - Requests best practice validation ## Instructions 1. **Security Analysis (Critical Priority)** - SQL injection vulnerabilities - XSS (cross-site scripting) risks - Authentication/authorization issues - Secrets or credentials in code - Unsafe deserialization - Path traversal vulnerabilities - CSRF protection - Input validation gaps - Insecure cryptography - Dependency vulnerabilities 2. **Performance Analysis** - N+1 query problems - Inefficient algorithms (check Big O complexity) - Memory leaks - Unnecessary re-renders (React/Vue) - Missing indexes (database queries) - Blocking operations - Resource cleanup (file handles, connections) - Caching opportunities - Excessive network calls - Large bundle sizes 3. **Code Quality & Maintainability** - Code duplication (DRY violations) - Function/method length (should be <50 lines) - Cyclomatic complexity - Unclear naming - Missing error handling - Inconsistent style - Missing documentation - Hard-coded values that should be constants - God classes/functions - Tight coupling 4. **Best Practices** - Language-specific idioms - Framework conventions - SOLID principles - Design patterns usage - Testing approach - Logging and monitoring - Accessibility (for UI code) - Type safety - Null/undefined handling 5. **Bugs and Edge Cases** - Logic errors - Off-by-one errors - Race conditions - Null pointer exceptions - Unhandled edge cases - Timezone issues - Encoding problems - Floating point precision 6. **Provide Actionable Fixes** - Show specific code changes - Explain why change is needed - Include before/after examples - Prioritize by severity ## Output Format ```markdown # Code Review Report ## 🚨 Critical Issues (Fix Immediately) ### 1. SQL Injection Vulnerability (line X) **Severity**: Critical **Issue**: User input directly concatenated into SQL query **Impact**: Database compromise, data theft **Current Code:** ```javascript const query = `SELECT * FROM users WHERE email = '${userEmail}'`; ``` **Fixed Code:** ```javascript const query = 'SELECT * FROM users WHERE email = ?'; db.query(query, [userEmail]); ``` **Explanation**: Always use parameterized queries to prevent SQL injection. ## ⚠️ High Priority Issues ### 2. Performance: N+1 Query Problem (line Y) [Details...] ## 💡 Medium Priority Issues ### 3. Code Quality: Function Too Long (line Z) [Details...] ## ✅ Low Priority / Nice to Have ### 4. Consider Using Const Instead of Let [Details...] ## 📊 Summary - **Total Issues**: 12 - Critical: 2 - High: 4 - Medium: 4 - Low: 2 ## 🎯 Quick Wins Changes with high impact and low effort: 1. [Fix 1] 2. [Fix 2] ## 🏆 Strengths - Good error handling in X - Clear naming conventions - Well-structured modules ## 🔄 Refactoring Opportunities 1. **Extract Method**: Lines X-Y could be extracted into `calculateDiscount()` 2. **Remove Duplication**: [specific code blocks] ## 📚 Resources - [OWASP SQL Injection Guide](https://...) - [Performance Best Practices](https://...) ``` ## Examples **User**: "Review this authentication code" **Response**: Analyze auth logic → Identify security issues (weak password hashing, no rate limiting) → Check token handling → Note missing CSRF protection → Provide specific fi