code-reviewer

Name: code-reviewer
Author: jeffallan

Analyzes code diffs and files to identify bugs, security vulnerabilities, performance issues, and architectural concerns with prioritized feedback. Detects common issues including SQL injection, XSS, N+1 queries, magic numbers, hardcoded secrets, and design pattern violations Follows a structured five-step workflow: context understanding, architecture review, code quality checks, test validation, and categorized reporting Produces prioritized reports organized by severity (critical, major, minor) with specific, actionable code examples and positive feedback Complements specialized skills like security-reviewer and test-master by providing broad-scope review across correctness, performance, maintainability, and test coverage in a single pass

INSTALLATION

npx skills add https://github.com/jeffallan/claude-skills --skill code-reviewer

Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$2c

Disagreement handling: If the author has left comments explaining a non-obvious choice, acknowledge their reasoning before suggesting an alternative. Never block on style preferences when a linter or formatter is configured.

Reference Guide

Load detailed guidance based on context:

Topic

Reference

Load When

Review Checklist

references/review-checklist.md

Starting a review, categories

Common Issues

references/common-issues.md

N+1 queries, magic numbers, patterns

Feedback Examples

references/feedback-examples.md

Writing good feedback

Report Template

references/report-template.md

Writing final review report

Spec Compliance

references/spec-compliance-review.md

Reviewing implementations, PR review, spec verification

Receiving Feedback

references/receiving-feedback.md

Responding to review comments, handling feedback

Review Patterns (Quick Reference)

N+1 Query — Bad vs Good

# BAD: query inside loop

for user in users:

    orders = Order.objects.filter(user=user)  # N+1

# GOOD: prefetch in bulk

users = User.objects.prefetch_related('orders').all()

Magic Number — Bad vs Good

# BAD

if status == 3:

    ...

# GOOD

ORDER_STATUS_SHIPPED = 3

if status == ORDER_STATUS_SHIPPED:

    ...

Security: SQL Injection — Bad vs Good

# BAD: string interpolation in query

cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# GOOD: parameterized query

cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])

Constraints

MUST DO

Summarize PR intent before reviewing (see Workflow step 1)

Provide specific, actionable feedback

Include code examples in suggestions

Praise good patterns

Prioritize feedback (critical → minor)

Review tests as thoroughly as code

Check for security issues (OWASP Top 10 as baseline)

MUST NOT DO

Be condescending or rude

Nitpick style when linters exist

Block on personal preferences

Demand perfection

Review without understanding the why

Skip praising good work

Output Template

Code review report must include:

Summary — One-sentence intent recap + overall assessment

Critical issues — Must fix before merge (bugs, security, data loss)

Major issues — Should fix (performance, design, maintainability)

Minor issues — Nice to have (naming, readability)

Positive feedback — Specific patterns done well

Questions for author — Clarifications needed

Verdict — Approve / Request Changes / Comment

Knowledge Reference

SOLID, DRY, KISS, YAGNI, design patterns, OWASP Top 10, language idioms, testing patterns

Documentation