Production code quality standards and review checklist. Use when writing or reviewing code.
Installation
Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.
Production code quality standards and review checklist. Use when writing or reviewing code.
user-invocable
false
Code Quality Standards
Security (OWASP Awareness)
Injection: Never string-format SQL queries. Use parameterized queries:
# BAD
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# GOOD
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
XSS: Sanitize all user input before rendering in HTML. Use templating engines with auto-escaping enabled.
Secrets: Never hardcode secrets, API keys, or passwords. Use environment variables or secret managers. Never commit .env files.
Subprocess: Never use shell=True. Pass args as a list:
# BAD
subprocess.run(f"convert {user_file}", shell=True)
# GOOD
subprocess.run(["convert", user_file])
Deserialization: Never pickle.load() or yaml.load() untrusted data. Use yaml.safe_load().
Error Handling
Validate at system boundaries: user input, external API responses, file I/O, environment variables.
Trust internals: don't re-validate data that your own code already validated and passed in.
Fail fast: raise exceptions early rather than propagating invalid state.
Catch specific exceptions: never bare except: or except Exception: without re-raising.
Complexity Management
No over-engineering: solve the current requirement, not hypothetical future ones.
DRY threshold: tolerate 2 repetitions. Abstract on the 3rd. Three similar lines are better than a premature abstraction that couples unrelated concerns.
YAGNI: don't add features, refactoring, or comments beyond what was asked.
Avoid backwards-compatibility shims: if code paths are unused, delete them. Dead code is a maintenance burden.