with one click
code-review
系统化代码审查:安全性、性能、可维护性、正确性、测试覆盖。触发词:代码审查、review 代码、PR 审查。
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
系统化代码审查:安全性、性能、可维护性、正确性、测试覆盖。触发词:代码审查、review 代码、PR 审查。
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | code-review |
| model | reasoning |
| category | testing |
| description | 系统化代码审查:安全性、性能、可维护性、正确性、测试覆盖。触发词:代码审查、review 代码、PR 审查。 |
| version | 1 |
Thorough, structured approach to reviewing code. Work through each dimension systematically rather than scanning randomly.
Apply iterative improvement for critical code paths:
┌────────────┐ ┌────────────┐ ┌────────────┐
│ Evaluator │ ──→ │ Optimizer │ ──→ │ Evaluator │
│ (Review) │ │ (Fix) │ │ (Recheck) │
└────────────┘ └────────────┘ └────────────┘
│ │
└───────────────────────────────────────┘
(Loop until pass)
| Metric | Target | Action if Failed |
|---|---|---|
| Security issues | 0 critical | Block merge |
| Test coverage | > 80% new code | Request tests |
| Complexity | < 10 per function | Suggest refactor |
| Documentation | All public APIs | Add doc comments |
For each failed metric:
## Optimization Round N
**Issue**: [description]
**Location**: [file:line]
**Fix Applied**: [what was changed]
**Result**: [pass/still-fail]
Review complete when ALL are true:
[CRITICAL] issues[MAJOR] issues resolved or documentednpx clawhub@latest install code-review
| Dimension | Focus | Priority |
|---|---|---|
| Security | Vulnerabilities, auth, data exposure | Critical |
| Performance | Speed, memory, scalability bottlenecks | High |
| Correctness | Logic errors, edge cases, data integrity | High |
| Maintainability | Readability, structure, future-proofing | Medium |
| Testing | Coverage, quality, reliability of tests | Medium |
| Accessibility | WCAG compliance, keyboard nav, screen readers | Medium |
| Documentation | Comments, API docs, changelog entries | Low |
Review every change for these vulnerabilities:
dangerouslySetInnerHTML or equivalent is justified and safeWork through the code in three passes. Do not try to catch everything in one read.
| Pass | Focus | Time | What to Look For |
|---|---|---|---|
| First | High-level structure | 2-5 min | Architecture fit, file organization, API design, overall approach |
| Second | Line-by-line detail | Bulk | Logic errors, security issues, performance problems, edge cases |
| Third | Edge cases & hardening | 5 min | Failure modes, concurrency, boundary values, missing tests |
Classify every comment by severity so the author knows what blocks merge.
| Level | Label | Meaning | Blocks Merge? |
|---|---|---|---|
| Critical | [CRITICAL] | Security vulnerability, data loss, or crash in production | Yes |
| Major | [MAJOR] | Bug, logic error, or significant performance regression | Yes |
| Minor | [MINOR] | Improvement that would reduce future maintenance cost | No |
| Nitpick | [NIT] | Style preference, naming suggestion, or trivial cleanup | No |
Always prefix your review comment with the severity label. This removes ambiguity about what matters.
Bad:
This is wrong. Fix it.
Good:
[MAJOR]This query interpolates user input directly into the SQL string (line 42), which is vulnerable to SQL injection. Consider using a parameterized query:SELECT * FROM users WHERE id = $1
Bad:
Why didn't you add tests?
Good:
[MINOR]The newcalculateDiscount()function has a few branching paths — could we add tests for the zero-quantity and negative-price edge cases to prevent regressions?
Bad:
I would have done this differently.
Good:
[NIT]This works well. An alternative approach could be extracting the retry logic into a sharedwithRetry()wrapper — but that's optional and could be a follow-up.
Avoid these common traps that waste time and damage team trust:
| Anti-Pattern | Description |
|---|---|
| Rubber-Stamping | Approving without reading. Creates false confidence and lets bugs through. |
| Bikeshedding | Spending 30 minutes debating a variable name while ignoring a race condition. |
| Blocking on Style | Refusing to approve over formatting that a linter should enforce automatically. |
| Gatekeeping | Requiring your personal preferred approach when the submitted one is correct. |
| Drive-by Reviews | Leaving one vague comment and disappearing. Commit to following through. |
| Scope Creep Reviews | Requesting unrelated refactors that should be separate PRs. |
| Stale Reviews | Letting PRs sit for days. Review within 24 hours or hand off to someone else. |
| Emotional Language | "This is terrible" or "obviously wrong." Critique the code, not the person. |
PRD 驱动的完整开发工作流 - 从用户故事分析到自动化测试的端到端流程。 当用户需要"一条龙开发"、"全自动开发"、"从需求到代码"、"先分析PRD再开发"、 "多模型分析后自动开发"、"完整开发流程"、"从需求分析到测试"或任何涉及 PRD分析→需求整合→代码生成→自动化测试的连续工作时,**必须**使用此技能。 整合多模型聚合、Kimi深度整合、PRD生成、多模型代码审查、代码开发、自动化测试等能力。 **新增**: 智能决策大脑(th-workflow-decision-engine) - 自动判断何时使用GitNexus代码分析、 unified-search联网搜索、多模型聚合,测试失败时智能选择修复策略。
PRD驱动工作流的决策大脑 - 智能判断何时使用搜索、代码分析、多模型聚合。 作为子Skill被 th-prd-driven-dev-workflow 调用,负责工具选择和策略决策。
动态 Agent 生成器(母体模式)。当用户需要处理复杂项目时,自动分析需求并生成定制化专业 Agent 团队。接收项目描述、技术栈、版本号、约束条件,输出完整的 Agent 配置和启动命令。触发词:需要专业团队、生成 Agent、创建定制化 Agent、复杂项目团队、动态生成 Agent。
Arch Linux 系统特性(PEP 668、AUR Helpers)
浏览器交互自动化:网页测试、表单填写、截图、数据提取。触发词:打开网页、填写表单、网页截图。
需求演进与决策追踪器 - 当用户提出零散需求、抱怨某个功能、或讨论产品方向时,**必须**使用此技能。通过逐级剖析推导出落地方案,并在每个关键节点**强制暂停**等待用户确认。适用于:记录决策、需求演进、功能推演、架构选型、重构方案确定。触发词:记录决策、需求演进、功能演进、决策追踪、需求推演、演进记录、这个需求怎么演化、帮我推演这个需求。