Code Reviewer

Name: Code Reviewer
Author: womendefiningai

womendefiningai/claude-code-skills

Run structured pre-merge PR reviews that combine automated audits with OWASP-oriented manual checks for security, performance, and quality.

Install

npx skills add https://github.com/womendefiningai/claude-code-skills --skill code-reviewer

What is this skill?

End-to-end examples for comprehensive, security-focused, and anti-pattern reviews
Runs bash scripts/quick-audit.sh plus npm audit, ESLint, TypeScript, and Prettier checks
Manual pass structured around OWASP Top 10 (access control, crypto, injection)
Covers authentication API patterns: bcrypt hashing, JWT env secrets, parameterized ORM queries
Separates good comprehensive review workflow from bad review examples to train the agent

Adoption & trust: 1 installs on skills.sh; 9 GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Recommended Skills

Improve Codebase Architecturemattpocock/skills

Improve Codebase Architecture is an agent skill that teaches how to deepen a cluster of shallow modules without breaking…226k installs·121k stars

Zoom Outmattpocock/skills

Lightweight meta-prompt skill that tells the agent to zoom out and deliver a domain-aligned overview of modules and call…181k installs·121k stars

Caveman Reviewjuliusbrussee/caveman

Formats code review as single actionable lines: location, problem, fix, with minimal noise.139k installs·70k stars

Requesting Code Reviewobra/superpowers

Requesting Code Review is an agent skill from the Superpowers collection that gives solo and indie builders a copy-ready…119k installs·221k stars

Receiving Code Reviewobra/superpowers

Superpowers methodology for agents receiving code review: prioritize technical correctness over social comfort, verify e…96.2k installs·221k stars

Request Refactor Planmattpocock/skills

request-refactor-plan is a structured agent workflow for solo and small-team maintainers who want refactors filed as act…30.5k installs·121k stars

Journey fit

Primary fit

Code review is shelved under ship because the documented flow is pre-merge PR review with audit scripts—the gate before you ship merged code. Review subphase matches explicit PR review, ESLint/TypeScript gates, and severity-style findings rather than launch distribution work.

Common Questions / FAQ

Is Code Reviewer safe to install?

skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Code Reviewer

# Code Review Examples

Complete end-to-end examples showing how to use the code-reviewer skill effectively.

---

## Table of Contents

1. [Example 1: Good Comprehensive Code Review](#example-1-good-comprehensive-code-review)
2. [Example 2: Security-Focused Review](#example-2-security-focused-review)
3. [Example 3: Bad Review (What NOT to Do)](#example-3-bad-review-what-not-to-do)

---

## Example 1: Good Comprehensive Code Review

### Context
**Feature:** User authentication API endpoint
**Files Changed:** `src/api/auth.ts`, `src/middleware/validate.ts`
**Lines Changed:** +150/-30
**Review Type:** Pre-merge PR review

### User Request
```
"Review this authentication PR for security, performance, and code quality issues"
```

### Review Process

**Step 1: Run Automated Tools**
```bash
bash scripts/quick-audit.sh
```

**Results:**
- ✅ npm audit: No vulnerabilities
- ✅ ESLint: 0 errors, 2 warnings
- ✅ TypeScript: All type checks pass
- ⚠️ Prettier: 3 files need formatting

**Step 2: Manual Security Review (OWASP Top 10)**

Checked `src/api/auth.ts`:

**A01 - Broken Access Control:**
- ✅ Authentication middleware present on all protected routes
- ✅ Token validation checks user permissions
- ✅ Direct object references prevented with user ID validation

**A02 - Cryptographic Failures:**
- ✅ Passwords hashed with bcrypt (cost factor 12)
- ✅ JWT secrets in environment variables
- ✅ HTTPS enforced in production

**A03 - Injection:**
- ✅ Parameterized queries used (TypeORM)
- ✅ Input validation with Zod schemas
- ✅ No string concatenation in SQL

**A07 - Authentication Failures:**
- ✅ Rate limiting implemented (5 attempts/15 minutes)
- ⚠️ **ISSUE FOUND:** Session timeout set to 7 days (too long)
- ✅ Password requirements enforced (12 chars min)

**Step 3: Performance Analysis**

```typescript
// File: src/api/auth.ts:45
async function getUserWithPosts(userId: string) {
  const user = await User.findOne({ where: { id: userId } });
  const posts = await Post.find({ where: { userId } });  // 🔴 N+1 potential
  return { ...user, posts };
}
```

**🔴 ISSUE FOUND:** Potential N+1 query if called in loop. Should use JOIN.

**Step 4: Code Quality**

- ✅ Functions < 50 lines
- ✅ No `any` types
- ✅ Proper error handling
- ⚠️ **ISSUE FOUND:** `console.log` on line 78 should be removed
- ✅ Test coverage: 85%

### Review Report Generated

```markdown
# Code Review Report: User Authentication API

**Reviewed by:** Claude (code-reviewer skill)
**Date:** 2025-11-03
**PR:** #123
**Review Type:** Standard Pre-Merge Review

---

## Executive Summary

**Verdict:** ⚠️ APPROVED WITH RESERVATIONS

**Overview:**
Solid authentication implementation with proper security practices. Two medium-priority issues identified that should be fixed before merge.

**Key Metrics:**
- **Files Modified:** 2
- **Lines Changed:** +150/-30
- **Estimated Risk:** 🟡 Medium
- **Test Coverage:** 85%
- **Review Duration:** 8 minutes

---

## Critical Issues (Blocking - Must Fix Before Merge)

**None identified** ✅

---

## High Priority Issues (Fix Within 48 Hours)

**None identified** ✅

---

## Medium Priority Issues (Fix This Sprint)

### 1. Session Timeout Too Long 🟡

**Location:** `src/api/auth.ts:23`

**Issue:**
```typescript
const token = jwt.sign({ userId }, JWT_SECRET, { expiresIn: '7d' });
```

Session timeout of 7 days is excessive and increases risk if token is compromised.

**Recommendation:**
```typescript
const token = jwt.sign({ userId }, JWT_SECRET, { expiresIn: '24h' });
```

Change to 24 hours (or 1 hour for high-security applications).

**Severity:** 🟡 Medium
**Category:** Security - Authentication
**OWASP:** A07:2021 - Identification and Authentication Failures

---

### 2. Potential N+1 Query Pattern 🟡

**Location:** `src/api/auth.ts:45-48`

**Issue:**
```typescript
async function getUserWithPosts(userId: string) {
  const user = await User.findOne({ where: { id: userId } });
  const posts = await Post.find({ where: { userId } });
  return { ...user, posts

What is this skill?

End-to-end examples for comprehensive, security-focused, and anti-pattern reviews

Runs bash scripts/quick-audit.sh plus npm audit, ESLint, TypeScript, and Prettier checks

Manual pass structured around OWASP Top 10 (access control, crypto, injection)

Covers authentication API patterns: bcrypt hashing, JWT env secrets, parameterized ORM queries

Separates good comprehensive review workflow from bad review examples to train the agent

Adoption & trust: 1 installs on skills.sh; 9 GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Code Reviewer

# Code Review Examples

Complete end-to-end examples showing how to use the code-reviewer skill effectively.

---

## Table of Contents

1. [Example 1: Good Comprehensive Code Review](#example-1-good-comprehensive-code-review)
2. [Example 2: Security-Focused Review](#example-2-security-focused-review)
3. [Example 3: Bad Review (What NOT to Do)](#example-3-bad-review-what-not-to-do)

---

## Example 1: Good Comprehensive Code Review

### Context
**Feature:** User authentication API endpoint
**Files Changed:** `src/api/auth.ts`, `src/middleware/validate.ts`
**Lines Changed:** +150/-30
**Review Type:** Pre-merge PR review

### User Request
```
"Review this authentication PR for security, performance, and code quality issues"
```

### Review Process

**Step 1: Run Automated Tools**
```bash
bash scripts/quick-audit.sh
```

**Results:**
- ✅ npm audit: No vulnerabilities
- ✅ ESLint: 0 errors, 2 warnings
- ✅ TypeScript: All type checks pass
- ⚠️ Prettier: 3 files need formatting

**Step 2: Manual Security Review (OWASP Top 10)**

Checked `src/api/auth.ts`:

**A01 - Broken Access Control:**
- ✅ Authentication middleware present on all protected routes
- ✅ Token validation checks user permissions
- ✅ Direct object references prevented with user ID validation

**A02 - Cryptographic Failures:**
- ✅ Passwords hashed with bcrypt (cost factor 12)
- ✅ JWT secrets in environment variables
- ✅ HTTPS enforced in production

**A03 - Injection:**
- ✅ Parameterized queries used (TypeORM)
- ✅ Input validation with Zod schemas
- ✅ No string concatenation in SQL

**A07 - Authentication Failures:**
- ✅ Rate limiting implemented (5 attempts/15 minutes)
- ⚠️ **ISSUE FOUND:** Session timeout set to 7 days (too long)
- ✅ Password requirements enforced (12 chars min)

**Step 3: Performance Analysis**

```typescript
// File: src/api/auth.ts:45
async function getUserWithPosts(userId: string) {
  const user = await User.findOne({ where: { id: userId } });
  const posts = await Post.find({ where: { userId } });  // 🔴 N+1 potential
  return { ...user, posts };
}
```

**🔴 ISSUE FOUND:** Potential N+1 query if called in loop. Should use JOIN.

**Step 4: Code Quality**

- ✅ Functions < 50 lines
- ✅ No `any` types
- ✅ Proper error handling
- ⚠️ **ISSUE FOUND:** `console.log` on line 78 should be removed
- ✅ Test coverage: 85%

### Review Report Generated

```markdown
# Code Review Report: User Authentication API

**Reviewed by:** Claude (code-reviewer skill)
**Date:** 2025-11-03
**PR:** #123
**Review Type:** Standard Pre-Merge Review

---

## Executive Summary

**Verdict:** ⚠️ APPROVED WITH RESERVATIONS

**Overview:**
Solid authentication implementation with proper security practices. Two medium-priority issues identified that should be fixed before merge.

**Key Metrics:**
- **Files Modified:** 2
- **Lines Changed:** +150/-30
- **Estimated Risk:** 🟡 Medium
- **Test Coverage:** 85%
- **Review Duration:** 8 minutes

---

## Critical Issues (Blocking - Must Fix Before Merge)

**None identified** ✅

---

## High Priority Issues (Fix Within 48 Hours)

**None identified** ✅

---

## Medium Priority Issues (Fix This Sprint)

### 1. Session Timeout Too Long 🟡

**Location:** `src/api/auth.ts:23`

**Issue:**
```typescript
const token = jwt.sign({ userId }, JWT_SECRET, { expiresIn: '7d' });
```

Session timeout of 7 days is excessive and increases risk if token is compromised.

**Recommendation:**
```typescript
const token = jwt.sign({ userId }, JWT_SECRET, { expiresIn: '24h' });
```

Change to 24 hours (or 1 hour for high-security applications).

**Severity:** 🟡 Medium
**Category:** Security - Authentication
**OWASP:** A07:2021 - Identification and Authentication Failures

---

### 2. Potential N+1 Query Pattern 🟡

**Location:** `src/api/auth.ts:45-48`

**Issue:**
```typescript
async function getUserWithPosts(userId: string) {
  const user = await User.findOne({ where: { id: userId } });
  const posts = await Post.find({ where: { userId } });
  return { ...user, posts

Install

What is this skill?

Recommended Skills

Journey fit

Is Code Reviewer safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Code Reviewer safe to install?

SKILL.md