DiscordSign up
SKILLS.SH

second-opinion

Independent code review from external LLMs (OpenAI Codex or Google Gemini CLI) on uncommitted changes, branch diffs, or specific commits. Supports two review engines: OpenAI Codex CLI (gpt-5.3-codex with structured JSON output) and Google Gemini CLI (gemini-3.1-pro-preview with code-review extension) Collects review scope (uncommitted, branch diff, or specific commit), optional project context file (CLAUDE.md or AGENTS.md), and focus area (general, security, performance, or error handling) via interactive questions Runs both tools in parallel when selected, with diff preview and large-diff warnings before execution Skips dependency scanning unless security focus is selected and dependency files are in the diff, avoiding unnecessary overhead

INSTALLATION
npx skills add https://github.com/trailofbits/skills --skill second-opinion
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

Second Opinion

Shell out to external LLM CLIs for an independent code review powered by

a separate model. Supports OpenAI Codex CLI and Google Gemini CLI.

When to Use

  • Getting a second opinion on code changes from a different model
  • Reviewing branch diffs before opening a PR
  • Checking uncommitted work for issues before committing
  • Running a focused review (security, performance, error handling)
  • Comparing review output from multiple models

When NOT to Use

  • Neither Codex CLI nor Gemini CLI is installed
  • No API key or subscription configured for either tool
  • Reviewing non-code files (documentation, config)
  • You want Claude's own review (just ask Claude directly)

Safety Note

Gemini CLI is invoked with --yolo, which auto-approves all

tool calls without confirmation. This is required for headless

(non-interactive) operation but means Gemini will execute any

tool actions its extensions request without prompting.

Quick Reference

# Codex (headless exec with structured JSON output)

codex exec --sandbox read-only --ephemeral \

  --output-schema codex-review-schema.json \

  -o "$output_file" - < "$prompt_file"

# Gemini (code review extension)

gemini -p "/code-review" --yolo -e code-review

# Gemini (headless with diff — see references/ for full pattern)

git diff HEAD > /tmp/review-diff.txt

{ printf '%s\n\n' 'Review this diff for issues.'; cat /tmp/review-diff.txt; } \

  | gemini -p - --yolo -m gemini-3.1-pro-preview

Invocation

1. Gather context interactively

Use AskUserQuestion to collect review parameters in one shot.

Adapt the questions based on what the user already provided

in their invocation (skip questions they already answered).

Combine all applicable questions into a single AskUserQuestion

call (max 4 questions).

Question 1 — Tool (skip if user already specified):

header: "Review tool"

question: "Which tool should run the review?"

options:

  - "Both Codex and Gemini (Recommended)" → run both in parallel

  - "Codex only"                          → codex exec

  - "Gemini only"                         → gemini CLI

Question 2 — Scope (skip if user already specified):

header: "Review scope"

question: "What should be reviewed?"

options:

  - "Uncommitted changes" → git diff HEAD + untracked files

  - "Branch diff vs main" → git diff <branch>...HEAD (auto-detect default branch)

  - "Specific commit"     → git diff <sha>~1..<sha> (follow up for SHA)

Question 3 — Project context (skip if neither CLAUDE.md nor AGENTS.md exists):

Check for CLAUDE.md first, then AGENTS.md in the repo root.

Only show this question if at least one exists.

header: "Project context"

question: "Include project conventions file so the review

  checks against your standards?"

options:

  - "Yes, include it"

  - "No, standard review"

Question 4 — Review focus (always ask):

header: "Review focus"

question: "Any specific focus areas for the review?"

options:

  - "General review"    → no custom prompt

  - "Security &#x26; auth"   → security-focused prompt

  - "Performance"       → performance-focused prompt

  - "Error handling"    → error handling-focused prompt

2. Run the tool directly

Do not pre-check tool availability. Run the selected tool

immediately. If the command fails with "command not found" or

an extension is missing, report the install command from the

Error Handling table below and skip that tool (if "Both" was

selected, run only the available one).

Diff Preview

After collecting answers, show the diff stats:

# For uncommitted (tracked + untracked):

git diff --stat HEAD

git ls-files --others --exclude-standard

# For branch diff:

git diff --stat <branch>...HEAD

# For specific commit:

git diff --stat <sha>~1..<sha>

If the diff is empty, stop and tell the user.

If the diff is very large (>2000 lines changed), warn the user

and ask whether to proceed or narrow the scope.

Skipping Inapplicable Checks

After determining the diff scope, skip checks that don't apply

to the files actually changed.

Dependency Scanning

Only run /security:scan-deps when the diff touches dependency

manifest files. Check with:

git diff --name-only <scope> \

  | grep -qiE '(package\.json|package-lock|yarn\.lock|pnpm-lock|Gemfile|\.gemspec|requirements\.txt|setup\.py|setup\.cfg|pyproject\.toml|poetry\.lock|uv\.lock|Cargo\.toml|Cargo\.lock|go\.mod|go\.sum|composer\.json|composer\.lock|Pipfile)'

If no dependency files are in the diff, skip the scan even when

security focus is selected. The scan analyzes the entire project's

dependency tree regardless of diff scope, so it adds significant

time for zero value when dependencies weren't touched.

Auto-detect Default Branch

For branch diff scope, detect the default branch name:

git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null \

  | sed 's@^refs/remotes/origin/@@' || echo main

Codex Invocation

See references/codex-invocation.md

for full details on command syntax, prompt assembly, and the

structured output schema.

Summary:

  • Uses codex exec (not codex review) for headless operation
  • Model: gpt-5.3-codex, reasoning: xhigh
  • Uses OpenAI's published code review prompt (fine-tuned into the model)
  • Diff is generated manually and piped via stdin with the prompt
  • --output-schema produces structured JSON findings
  • -o captures only the final message (no thinking/exec noise)
  • All three scopes (uncommitted, branch, commit) support project

context and focus instructions (no limitations)

  • Falls back to gpt-5.2-codex on auth errors
  • Output is clean JSON — parse and present findings by priority
  • Set timeout: 600000 on the Bash call

Gemini Invocation

See references/gemini-invocation.md

for full details on flags, scope mapping, and extension usage.

Summary:

  • Model: gemini-3.1-pro-preview, flags: --yolo, -e, -m
  • For uncommitted general review: gemini -p "/code-review" --yolo -e code-review
  • For branch/commit diffs: pipe git diff into gemini -p
  • Security extension name is gemini-cli-security (not security)
  • /security:analyze is interactive-only — use -p with a

security prompt instead

  • Run /security:scan-deps only when security focus is selected

AND the diff touches dependency manifest files (see Diff-Aware

Optimizations)

  • Set timeout: 600000 on the Bash call

**Scope mapping for git diff** (Gemini has no built-in scope flags):

Scope

Diff command

Uncommitted

git diff HEAD + untracked (see codex-invocation.md)

Branch diff

git diff <branch>...HEAD

Specific commit

git diff <sha>~1..<sha>

Running Both

When the user picks "Both" (the default):

  • Run Codex and Gemini in parallel — issue both Bash tool

calls in a single response. Both commands are read-only

(they review diffs via external APIs) so there is no

shared state or git lock contention.

  • Collect both results, then present with clear headers:
## Codex Review (gpt-5.3-codex)

<codex output>

## Gemini Review (gemini-3.1-pro-preview)

<gemini output>

Summarize where the two reviews agree and differ.

Error Handling

Error

Action

codex: command not found

Tell user: npm i -g @openai/codex

gemini: command not found

Tell user: npm i -g @google/gemini-cli

Gemini code-review extension missing

Tell user: gemini extensions install https://github.com/gemini-cli-extensions/code-review

Gemini gemini-cli-security extension missing

Tell user: gemini extensions install https://github.com/gemini-cli-extensions/security

Model auth error (Codex)

Retry with gpt-5.2-codex

Empty diff

Tell user there are no changes to review

Timeout

Inform user and suggest narrowing the diff scope

Tool partially unavailable

Run only the available tool, note the skip

Examples

Both tools (default):

User: /second-opinion

Claude: [asks 4 questions: tool, scope, context, focus]

User: picks "Both", "Branch diff", "Yes include CLAUDE.md", "Security"

Claude: [detects default branch = main]

Claude: [shows diff --stat: 6 files, +103 -15]

Claude: [assembles prompt with review instructions + CLAUDE.md + security focus + diff]

Claude: [runs codex exec and gemini in parallel]

Claude: [reads codex output file, parses structured findings]

Claude: [presents both reviews, highlights agreements/differences]

Codex only with inline args:

User: /second-opinion check uncommitted changes for bugs

Claude: [scope known: uncommitted, focus known: custom]

Claude: [asks 2 questions: tool, project context]

User: picks "Codex only", "No context"

Claude: [shows diff --stat: 3 files, +45 -10]

Claude: [writes prompt file with review instructions + diff]

Claude: [runs codex exec, reads structured JSON output]

Claude: [presents findings by priority with file:line refs]

Gemini only:

User: /second-opinion

Claude: [asks 4 questions]

User: picks "Gemini only", "Uncommitted", "No", "General"

Claude: [shows diff --stat: 2 files, +20 -5]

Claude: [runs gemini -p "/code-review" --yolo -e code-review]

Claude: [presents review]

Large diff warning:

User: /second-opinion

Claude: [asks questions] → user picks "Both", "Uncommitted", "General"

Claude: [shows diff --stat: 45 files, +3200 -890]

Claude: "Large diff (3200+ lines). Proceed, or narrow the scope?"

User: "proceed"

Claude: [runs both reviews]
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card