القائمة
Security and quality review of uncommitted changes. Checks for vulnerabilities, code smells, and best practice violations. Use before committing.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Scaffold a new dashboard chart component with registry, types, and proper theme integration.
Create a new customizable dashboard with its own chart registry, provider, and page. Use when adding dashboards like DRep or SPO dashboard.
Context window conservation rules. Invoke when approaching context limits or before large tasks.
Deep reflection on the skill learning system itself. Analyzes what's working, what's stale, and proposes structural improvements. The meta-skill.
End-of-session automation. Creates a journey and evolves skills based on session learnings.
Run the build and intelligently fix TypeScript errors with guardrails. Stops if fixes introduce more errors or the same error persists after 3 attempts.
| name | code-review |
| updated | "2026-02-20T00:00:00.000Z" |
| description | Security and quality review of uncommitted changes. Checks for vulnerabilities, code smells, and best practice violations. Use before committing. |
| argument-hint | ["--staged|--all"] |
| (default | --all uncommitted) |
| allowed-tools | Bash, Read, Grep, Glob, TodoWrite |
Systematic security and quality review of uncommitted changes. Groups findings by severity.
git diff --name-only HEAD
git diff --name-only --cached
Combine staged and unstaged changes. Filter to source files (.ts, .tsx, .js, .jsx). If --staged argument, only review staged files.
For each changed file, get the full diff:
git diff HEAD -- <file>
Read the diff carefully. Focus on ADDED and MODIFIED lines (lines starting with +).
Review each changed file against three severity tiers.
| Check | Pattern | Why |
|---|---|---|
| Hardcoded secrets | API keys, passwords, tokens in source | Credential exposure |
| SQL injection | String concatenation in SQL queries | Data breach |
| XSS vulnerability | dangerouslySetInnerHTML with user input, unescaped output | Script injection |
| Missing input validation | API route handlers without validation | Injection attacks |
| Path traversal | User input in file paths without sanitization | File system access |
| Exposed server secrets | BACKEND_API_KEY or server-only env vars in client code | Key leakage |
| Check | Pattern | Why |
|---|---|---|
| Functions > 80 lines | Count lines in new/modified functions | Maintainability |
| Nesting > 4 levels | Deeply nested if/for/try blocks | Readability |
| Missing error handling | Async calls without try-catch, .catch(), or error boundary | Runtime crashes |
| console.log statements | console.log( in production code | Debug noise |
| TODO/FIXME/HACK comments | Temporary markers being committed | Technical debt |
| Unused imports | Imports not referenced in changed code | Dead code |
| Any type usage | as any, : any in TypeScript | Type safety loss |
| Check | Pattern | Why |
|---|---|---|
| Direct state mutation | Mutating objects/arrays instead of spread | React bugs |
| Missing loading states | Async data fetching without loading/error UI | UX |
| Missing accessibility | Interactive elements without aria labels, images without alt | a11y |
| Hardcoded strings | User-facing text not using i18n (t() / useTranslations) | i18n |
| Magic numbers | Unexplained numeric constants | Readability |
| Missing TypeScript types | Implicit any from missing type annotations | Type safety |
Output findings grouped by severity:
CODE REVIEW: <file count> files reviewed
═══════════════════════════════════════
CRITICAL (X issues) — Must fix before commit
[C1] src/pages/api/foo.ts:42 — Hardcoded API key in source
[C2] src/components/Bar.tsx:18 — dangerouslySetInnerHTML with user input
HIGH (X issues) — Should fix
[H1] src/store/slice.ts:100-180 — Function exceeds 80 lines (80 lines)
[H2] src/pages/api/bar.ts:25 — Missing try-catch on async operation
MEDIUM (X issues) — Nice to fix
[M1] src/components/Baz.tsx:55 — Hardcoded "Loading..." string (should use t())
[M2] src/components/Qux.tsx:12 — Image missing alt attribute
═══════════════════════════════════════
VERDICT: [COMMIT OK / FIX REQUIRED]
FIX REQUIRED, do not commitFIX REQUIREDCOMMIT OK with suggestionsCOMMIT OKsrc/pages/api/)callApi() from utils/apiHelper.ts for backend proxy (adds X-API-Key server-side)BACKEND_API_KEY to clientif (req.method !== 'GET'))services/api.ts, not in componentsbg-white, text-black, border-gray-* without dark: variantsuseGovernanceData.tsuseDRepData.ts