Code Reviewer
Run structured AI code reviews prioritized by security, performance, correctness, and maintainability before you merge or ship.
Overview
code-reviewer is an agent skill most often used in Ship (also Build backend, Ship security) that performs prioritized reviews for SQL injection, XSS, N+1 queries, errors, and maintainability.
Install
npx skills add https://github.com/shubhamsaboo/awesome-llm-apps --skill code-reviewerWhat is this skill?
- Security-first checklist covering SQL injection and XSS with incorrect vs correct examples
- High-impact performance guidance including N+1 query detection
- Correctness focus on proper error handling patterns
- Maintainability rules for meaningful names and type hints
- Priority tiers: CRITICAL security, HIGH performance and correctness, MEDIUM maintainability
- 6 prioritized review topics in the table of contents across security, performance, correctness, and maintainability
Adoption & trust: 3.4k installs on skills.sh; 114k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You ship changes with an LLM glance that misses injection, XSS, and query-efficiency issues because there is no shared severity rubric.
Who is it for?
Indie builders merging agent-generated Python or web backend code who need security- and performance-first review comments.
Skip if: Repos that only need style linting or teams that already enforce full automated security suites without human-readable rationales.
When should I use this skill?
Performing AI-assisted code review on application code before merge or release.
What do I get? / Deliverables
Reviews return tiered findings with concrete bad/good examples so you can fix CRITICAL security and HIGH performance problems before merge.
- Tiered review comments mapped to CRITICAL/HIGH/MEDIUM topics
- Incorrect vs correct code suggestions per guideline
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/review is the canonical shelf because the skill is written as a pre-merge review playbook even though you can reuse sections while still building. Review subphase matches explicit security and quality gates agents should apply to diffs and PRs.
Where it fits
Sanity-check new repository methods for parameterized queries while implementing a feature branch.
Run a full prioritized review on an agent-written PR before you merge to main.
Focus the agent on CRITICAL SQL injection and XSS sections before a public launch candidate.
How it compares
Structured review checklist skill, not a CI scanner or a deployment safety guard.
Common Questions / FAQ
Who is code-reviewer for?
Solo and indie developers who want AI agents to review diffs with explicit security and performance priorities.
When should I use code-reviewer?
Use it in Ship before merging PRs, during Build when hardening new API handlers, and in Ship security passes when touching auth or database code.
Is code-reviewer safe to install?
It is guidance-only text; check the Security Audits panel on this Prism page and keep using your own scanners for authoritative vulnerability status.
SKILL.md
READMESKILL.md - Code Reviewer
# Code Review Guidelines **A comprehensive guide for AI agents performing code reviews**, organized by priority and impact. --- ## Table of Contents ### Security — **CRITICAL** 1. [SQL Injection Prevention](#sql-injection-prevention) 2. [XSS Prevention](#xss-prevention) ### Performance — **HIGH** 3. [Avoid N+1 Query Problem](#avoid-n-1-query-problem) ### Correctness — **HIGH** 4. [Proper Error Handling](#proper-error-handling) ### Maintainability — **MEDIUM** 5. [Use Meaningful Variable Names](#use-meaningful-variable-names) 6. [Add Type Hints](#add-type-hints) --- ## Security ### SQL Injection Prevention **Impact: CRITICAL** | **Category: security** | **Tags:** sql, security, injection, database Never construct SQL queries with string concatenation or f-strings. Always use parameterized queries to prevent SQL injection attacks. #### Why This Matters SQL injection is one of the most common and dangerous web vulnerabilities. Attackers can: - Access unauthorized data - Modify or delete database records - Execute admin operations on the database - In some cases, issue commands to the OS #### ❌ Incorrect ```python def get_user(user_id): query = f"SELECT * FROM users WHERE id = {user_id}" result = db.execute(query) return result # Vulnerable to: get_user("1 OR 1=1") # Returns all users! ``` #### ✅ Correct ```python def get_user(user_id: int) -> Optional[Dict[str, Any]]: query = "SELECT * FROM users WHERE id = ?" result = db.execute(query, (user_id,)) return result.fetchone() if result else None ``` [➡️ Full details: security-sql-injection.md](rules/security-sql-injection.md) --- ### XSS Prevention **Impact: CRITICAL** | **Category: security** | **Tags:** xss, security, html, javascript Never insert unsanitized user input into HTML. Always escape output or use frameworks that auto-escape by default. #### ❌ Incorrect ```javascript // Dangerous! document.getElementById('username').innerHTML = userInput; ``` #### ✅ Correct ```javascript // Safe: use textContent element.textContent = userInput; // Or sanitize if HTML needed import DOMPurify from 'dompurify'; element.innerHTML = DOMPurify.sanitize(userHtml); ``` [➡️ Full details: security-xss-prevention.md](rules/security-xss-prevention.md) --- ## Performance ### Avoid N+1 Query Problem **Impact: HIGH** | **Category: performance** | **Tags:** database, performance, orm, queries The N+1 query problem occurs when code executes 1 query to fetch a list, then N additional queries to fetch related data for each item. #### ❌ Incorrect ```python # 101 queries for 100 posts! posts = Post.objects.all() # 1 query for post in posts: print(f"{post.title} by {post.author.name}") # N queries ``` #### ✅ Correct ```python # 1 query with JOIN posts = Post.objects.select_related('author').all() for post in posts: print(f"{post.title} by {post.author.name}") # No extra queries! ``` [➡️ Full details: performance-n-plus-one.md](rules/performance-n-plus-one.md) --- ## Correctness ### Proper Error Handling **Impact: HIGH** | **Category: correctness** | **Tags:** errors, exceptions, reliability Always handle errors explicitly. Don't use bare except clauses or ignore errors silently. #### ❌ Incorrect ```python try: result = risky_operation() except: pass # Silent failure! ``` #### ✅ Correct ```python try: config = json.loads(config_file.read()) except json.JSONDecodeError as e: logger.error(f"Invalid JSON in config file: {e}") config = get_default_config() except FileNotFoundError: logger.warning("Config file not found, using defaults") config = get_default_config() ``` [➡️ Full details: correctness-error-handling.md](rules/correctness-error-handling.md) --- ## Maintainability ### Use Meaningful Variable Names **Impact: MEDIUM** | **Category: maintainability** | **Tags:** naming, readability, code-quality Choose descriptive, intention-revealing names. Avoid single letters (except loop counters),