| name | code-review |
| description | Use this skill when performing code reviews, security audits, architecture reviews, vulnerability analysis, or evaluating code quality. Trigger on keywords: code review, review, audit, security, vulnerability, OWASP, SQL injection, XSS, architecture review, refactor suggestion, quality check, static analysis. |
Code Review
Review Philosophy
Review the code, not the person. The goal is to ship better software, not to win arguments. Every comment should make the codebase better or help the author learn — preferably both.
Feedback Categories
Always tag review comments to set expectations:
| Tag | Meaning | Must Fix? |
|---|
BLOCKER | Breaks functionality, security risk, violates standards | Yes |
WARNING | Technical debt, potential issue, should be addressed | Recommended |
SUGGESTION | Optional improvement, alternative approach | No |
QUESTION | Asking for clarification or understanding | No |
NITPICK | Minor style or preference | Author decides |
PRAISE | Acknowledge good work | N/A |
Code Quality Checklist
Correctness
Readability
Architecture
Performance
Tests
Security Review (OWASP Top 10)
Apply a security persona when reviewing code that touches auth, data access, or user input.
Input Validation
Authentication & Authorization
Sensitive Data
Dependencies
Architecture Review
When reviewing architectural decisions:
Questions to Ask
- Scalability — Will this work at 10x current load?
- Maintainability — Will a new developer understand this in 6 months?
- Testability — Can this be unit tested without complex setup?
- Reversibility — How hard is it to undo this decision?
- Consistency — Does this align with how the rest of the system works?
Red Flags
- God classes / functions (doing too many things)
- Deep inheritance hierarchies
- Hardcoded configuration values
- Direct cross-module database access
- Synchronous calls to external services without timeout/retry
- Missing abstractions that make testing impossible
Review Comment Examples
Good Comment (Specific + Constructive)
BLOCKER: This SQL query is vulnerable to injection. User input is concatenated
directly into the query string. Use parameterized queries instead:
// Instead of:
db.query(`SELECT * FROM users WHERE id = ${userId}`)
// Use:
db.query('SELECT * FROM users WHERE id = $1', [userId])
Bad Comment (Vague + Unhelpful)
This doesn't look right.
Self-Review Checklist (Before Submitting a PR)
Run through this before requesting review: