Code Review
Run structured PR and diff reviews for security, performance, quality, and test gaps before merge.
Overview
Code Review is an agent skill most often used in Ship (also Build, Operate) that analyzes pull requests and diffs for security, performance, code quality, and testing issues using a fixed severity template.
Install
npx skills add https://github.com/skillcreatorai/ai-agent-skills --skill code-reviewWhat is this skill?
- Four review lenses: security (SQLi, XSS, secrets, auth), performance (N+1, caching, bundles), code quality (DRY, SRP, er
- Structured markdown output with Critical (must fix), Suggestions (should consider), and file:line anchors
- Derived from Anthropics Claude Code patterns for agent-driven PR review
- Use when reviewing diffs, opening PRs, or running manual code audits
- Apache-2.0 skill package suitable for Claude Code and similar coding agents
- 4 review categories: security, performance, code quality, and testing
Adoption & trust: 965 installs on skills.sh; 1.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are about to merge changes but lack a consistent reviewer checklist for security, perf, and test gaps across every PR.
Who is it for?
Solo builders and tiny teams who want PR-ready review comments without hiring a full-time reviewer.
Skip if: Greenfield feature design or product scoping where no code diff exists yet, or when you only need a single linter rule fixed manually.
When should I use this skill?
Reviewing code changes, pull requests, or performing code audits.
What do I get? / Deliverables
You get a prioritized, file-anchored review summary with critical fixes and suggestions you can act on before merge or in a follow-up commit.
- Markdown code review summary with Critical and Suggestions sections tied to file:line references
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/review is the canonical shelf because the skill is framed around pull requests, code changes, and pre-merge audits. Review subphase matches automated PR analysis and explicit code-audit workflows rather than authoring new features.
Where it fits
Run the skill on a feature PR to surface XSS and missing auth checks before you merge to main.
Use the security lens on a hotfix branch to confirm no hardcoded secrets slipped in under time pressure.
Review a React PR for unnecessary re-renders and bundle-size risks while the feature is still in flight.
Periodically audit legacy modules for SQL injection and weak error handling during maintenance sprints.
How it compares
Use instead of unstructured “please review my PR” chat when you want categorized security/perf/quality/test findings with severities.
Common Questions / FAQ
Who is code-review for?
Indie and solo developers using AI coding agents who ship via pull requests and want repeatable audit-style feedback on every change set.
When should I use code-review?
Use it when opening or updating a PR, before merge in the ship review subphase, during late-build hardening on risky modules, or during operate-phase code audits when you need the same four-category checklist.
Is code-review safe to install?
It is a procedural review skill, not a live scanner; check the Security Audits panel on this Prism page for package integrity and run your own org policies before granting broad repo access.
SKILL.md
READMESKILL.md - Code Review
# Code Review ## Review Categories ### 1. Security Review Check for: - SQL injection vulnerabilities - XSS (Cross-Site Scripting) - Command injection - Insecure deserialization - Hardcoded secrets/credentials - Improper authentication/authorization - Insecure direct object references ### 2. Performance Review Check for: - N+1 queries - Missing database indexes - Unnecessary re-renders (React) - Memory leaks - Blocking operations in async code - Missing caching opportunities - Large bundle sizes ### 3. Code Quality Review Check for: - Code duplication (DRY violations) - Functions doing too much (SRP violations) - Deep nesting / complex conditionals - Magic numbers/strings - Poor naming - Missing error handling - Incomplete type coverage ### 4. Testing Review Check for: - Missing test coverage for new code - Tests that don't test behavior - Flaky test patterns - Missing edge cases - Mocked external dependencies ## Review Output Format ```markdown ## Code Review Summary ### 🔴 Critical (Must Fix) - **[File:Line]** [Issue description] - **Why:** [Explanation] - **Fix:** [Suggested fix] ### 🟡 Suggestions (Should Consider) - **[File:Line]** [Issue description] - **Why:** [Explanation] - **Fix:** [Suggested fix] ### 🟢 Nits (Optional) - **[File:Line]** [Minor suggestion] ### ✅ What's Good - [Positive feedback on good patterns] ``` ## Common Patterns to Flag ### Security ```javascript // BAD: SQL injection const query = `SELECT * FROM users WHERE id = ${userId}`; // GOOD: Parameterized query const query = 'SELECT * FROM users WHERE id = $1'; await db.query(query, [userId]); ``` ### Performance ```javascript // BAD: N+1 query users.forEach(async user => { const posts = await getPosts(user.id); }); // GOOD: Batch query const userIds = users.map(u => u.id); const posts = await getPostsForUsers(userIds); ``` ### Error Handling ```javascript // BAD: Swallowing errors try { await riskyOperation(); } catch (e) {} // GOOD: Handle or propagate try { await riskyOperation(); } catch (e) { logger.error('Operation failed', { error: e }); throw new AppError('Operation failed', { cause: e }); } ``` ## Review Checklist - [ ] No hardcoded secrets - [ ] Input validation present - [ ] Error handling complete - [ ] Types/interfaces defined - [ ] Tests added for new code - [ ] No obvious performance issues - [ ] Code is readable and documented - [ ] Breaking changes documented