Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

$pwd:

code-review-and-security-audit

Name: Code Review And Security Audit
Author: hiroshiyui

// Review code for quality, correctness, and security vulnerabilities. Use when the user asks to review code, audit for security issues, or check for bugs and anti-patterns.

Ejecutar en Manus

$ git log --oneline --stat

stars:3

forks:0

updated:19 de abril de 2026, 08:05

SKILL.md

readonly

name	code-review-and-security-audit
description	Review code for quality, correctness, and security vulnerabilities. Use when the user asks to review code, audit for security issues, or check for bugs and anti-patterns.
argument-hint	file path, component name, or scope of review

Code Review and Security Audit

You are performing code review and security auditing for RakuRaku IME (輕鬆輸入法).

Stack Reminders

Kotlin + Jetpack Compose + Material 3 for UI.
Room (with KSP) + FTS4 + a pre-packaged database asset for the dictionary.
Coroutines / suspend with Dispatchers.IO for parsing and DB work.
DataStore Preferences for user settings.
No JNI, no C/C++, no native libraries — if a review surfaces native concerns, it is out of scope for this project.

Review Checklist

Code Quality

Null safety: prefer null-safe operators; avoid !! unless justified.
Coroutines: suspend functions stay on the correct dispatcher (Dispatchers.IO for disk / DB / asset work); UI state updates happen on the main thread or via Compose state (thread-safe).
Room: transactions wrap multi-statement writes; FTS4 queries use the correct MATCH syntax; indexes align with the actual query shapes.
Compose: state is hoisted where it needs to be; remember/rememberSaveable/LaunchedEffect keys are correct; avoid leaking Context into long-lived state.
Resource management: InputStream / Reader / Cursor closed with .use { } or try/finally.
Error handling: appropriate use of try/catch at boundaries (asset I/O, DB init); no silently swallowed exceptions.
No dead code, unused imports, or redundant logic.

Code Smells

Long methods, large composables, deep nesting.
Duplicated logic across key handlers / layout code — candidate for extraction.
Magic numbers or strings where a named constant, enum, or sealed class would read better.
Primitive obsession where a domain type would be clearer (e.g., keystroke, character).
Long parameter lists — group into a data class.
Mutable shared state — prefer immutable data and local state; flag unnecessary var or global mutable collections.

Refactoring Suggestions

Extract method / extract composable when a block has a distinct responsibility.
Replace conditional chains with sealed classes or enums where it aids clarity.
Use Kotlin idioms: scope functions, destructuring, extension functions, buildList / buildString.
Lift repeated Compose logic into reusable composables (e.g., SettingsSwitch).
Reduce coupling: prefer passing narrowly-typed dependencies over full Context or database handles when practical.
Improve testability: flag code that is hard to unit test (hidden singletons, direct asset access) and suggest seams.

Android / IME-Specific Security

Keystroke privacy: this app is an IME and processes all user input. Review for any log statements, crash reports, analytics, or persistence that could leak user keystrokes, dictionary lookups, or clipboard data.
SharedPreferences / DataStore: no sensitive data stored; nothing world-readable.
Intent handling: validate intent extras; do not re-dispatch untrusted intents.
Exported components: check AndroidManifest.xml — activities / services / receivers should not be inadvertently exported; the IME service itself must be exported but only with the proper android.permission.BIND_INPUT_METHOD guard.
ProGuard/R8: if/when enabled, verify rules don't strip security-critical code.
WebView: not currently used; flag any introduction.

Data & Dictionary Integrity

Asset parsing (CinParser): validate line format; avoid crashes on malformed input.
Room migrations: schema changes must ship a migration or an intentional fallbackToDestructiveMigration; destructive fallback drops user frequency data — call that out.
Pre-packaged DB asset: ensure it stays in sync with the .cin asset; the asset-hash sync in CinParser is the guardrail.

General Security

No hardcoded secrets, API keys, or credentials.
No command injection via Runtime.exec() or ProcessBuilder.
No path traversal in file operations.
No insecure RNG for security-sensitive operations.
Dependencies: check for known vulnerabilities in gradle/libs.versions.toml.

Output Format

Report findings using this structure:

Critical / High

Security vulnerabilities, crashes, data loss risks.

Medium

Logic bugs, thread safety concerns, concrete code smells.

Low / Informational

Style, readability, minor optimizations.

For each finding, include:

File and line number (e.g., CinParser.kt:42)
Description of the issue
Impact — what could go wrong
Recommendation — how to fix it, with code if helpful

How to Run

Without arguments, review recently changed files:

git diff --name-only HEAD~5

With a scope (file, directory, or component), focus on that area.

For a full audit, systematically review:

Data layer (app/src/main/java/org/ghostsinthelab/app/rakurakuime/data/)
IME service and input handling
Compose UI layer (ui/, MainActivity)
Configuration (AndroidManifest.xml, app/build.gradle.kts)
Dependencies (gradle/libs.versions.toml)

Task: $ARGUMENTS

related-skills.json

mismo repositorio

take-and-update-screenshots.md

from "hiroshiyui/RakuRakuIME"

Capture the four RakuRaku showcase screenshots on a connected device and refresh the fastlane metadata. Use when the user asks to take, update, or regenerate screenshots.

2026-04-223

release-engineering.md

from "hiroshiyui/RakuRakuIME"

Release engineering tasks for RakuRaku IME — version bumping, building release APKs, tagging, and creating GitHub releases. Use when the user asks to prepare a release, bump version, tag, or build for distribution.

2026-04-223

commit-and-push.md

from "hiroshiyui/RakuRakuIME"

Commit code changes and push via Git. Use when the user asks to commit, push, or save their work to the repository.

2026-04-193

docs-engineering.md

from "hiroshiyui/RakuRakuIME"

Writing/updating project documentation for RakuRaku IME (README, TODOs, LICENSE notices, AI-assistant guide files). Use when the user asks to update docs or rewrite user-facing text.

2026-04-193

package.json

"author": "hiroshiyui"

"repository": "hiroshiyui/RakuRakuIME"

Abrir repositorio de GitHub Ver repositorios del creador

$ install --global

$ download --local

Ejecutar en Manus

$ useful --forSOC

Analistas de garantía de calidad de software y probadoresOcupaciones informáticas y matemáticas15-1253L4

name	code-review-and-security-audit
description	Review code for quality, correctness, and security vulnerabilities. Use when the user asks to review code, audit for security issues, or check for bugs and anti-patterns.
argument-hint	file path, component name, or scope of review

Code Review and Security Audit

You are performing code review and security auditing for RakuRaku IME (輕鬆輸入法).

Stack Reminders

Kotlin + Jetpack Compose + Material 3 for UI.
Room (with KSP) + FTS4 + a pre-packaged database asset for the dictionary.
Coroutines / suspend with Dispatchers.IO for parsing and DB work.
DataStore Preferences for user settings.
No JNI, no C/C++, no native libraries — if a review surfaces native concerns, it is out of scope for this project.

Review Checklist

Code Quality

Null safety: prefer null-safe operators; avoid !! unless justified.
Coroutines: suspend functions stay on the correct dispatcher (Dispatchers.IO for disk / DB / asset work); UI state updates happen on the main thread or via Compose state (thread-safe).
Room: transactions wrap multi-statement writes; FTS4 queries use the correct MATCH syntax; indexes align with the actual query shapes.
Compose: state is hoisted where it needs to be; remember/rememberSaveable/LaunchedEffect keys are correct; avoid leaking Context into long-lived state.
Resource management: InputStream / Reader / Cursor closed with .use { } or try/finally.
Error handling: appropriate use of try/catch at boundaries (asset I/O, DB init); no silently swallowed exceptions.
No dead code, unused imports, or redundant logic.

Code Smells

Long methods, large composables, deep nesting.
Duplicated logic across key handlers / layout code — candidate for extraction.
Magic numbers or strings where a named constant, enum, or sealed class would read better.
Primitive obsession where a domain type would be clearer (e.g., keystroke, character).
Long parameter lists — group into a data class.
Mutable shared state — prefer immutable data and local state; flag unnecessary var or global mutable collections.

Refactoring Suggestions

Extract method / extract composable when a block has a distinct responsibility.
Replace conditional chains with sealed classes or enums where it aids clarity.
Use Kotlin idioms: scope functions, destructuring, extension functions, buildList / buildString.
Lift repeated Compose logic into reusable composables (e.g., SettingsSwitch).
Reduce coupling: prefer passing narrowly-typed dependencies over full Context or database handles when practical.
Improve testability: flag code that is hard to unit test (hidden singletons, direct asset access) and suggest seams.

Android / IME-Specific Security

Keystroke privacy: this app is an IME and processes all user input. Review for any log statements, crash reports, analytics, or persistence that could leak user keystrokes, dictionary lookups, or clipboard data.
SharedPreferences / DataStore: no sensitive data stored; nothing world-readable.
Intent handling: validate intent extras; do not re-dispatch untrusted intents.
Exported components: check AndroidManifest.xml — activities / services / receivers should not be inadvertently exported; the IME service itself must be exported but only with the proper android.permission.BIND_INPUT_METHOD guard.
ProGuard/R8: if/when enabled, verify rules don't strip security-critical code.
WebView: not currently used; flag any introduction.

Data & Dictionary Integrity

Asset parsing (CinParser): validate line format; avoid crashes on malformed input.
Room migrations: schema changes must ship a migration or an intentional fallbackToDestructiveMigration; destructive fallback drops user frequency data — call that out.
Pre-packaged DB asset: ensure it stays in sync with the .cin asset; the asset-hash sync in CinParser is the guardrail.

General Security

No hardcoded secrets, API keys, or credentials.
No command injection via Runtime.exec() or ProcessBuilder.
No path traversal in file operations.
No insecure RNG for security-sensitive operations.
Dependencies: check for known vulnerabilities in gradle/libs.versions.toml.

Output Format

Report findings using this structure:

Critical / High

Security vulnerabilities, crashes, data loss risks.

Medium

Logic bugs, thread safety concerns, concrete code smells.

Low / Informational

Style, readability, minor optimizations.

For each finding, include:

File and line number (e.g., CinParser.kt:42)
Description of the issue
Impact — what could go wrong
Recommendation — how to fix it, with code if helpful

How to Run

Without arguments, review recently changed files:

git diff --name-only HEAD~5

With a scope (file, directory, or component), focus on that area.

For a full audit, systematically review:

Data layer (app/src/main/java/org/ghostsinthelab/app/rakurakuime/data/)
IME service and input handling
Compose UI layer (ui/, MainActivity)
Configuration (AndroidManifest.xml, app/build.gradle.kts)
Dependencies (gradle/libs.versions.toml)

code-review-and-security-audit

Code Review and Security Audit

Stack Reminders

Review Checklist

Code Quality

Code Smells

Refactoring Suggestions

Android / IME-Specific Security

Data & Dictionary Integrity

General Security

Output Format

Critical / High

Medium

Low / Informational

How to Run

Task: $ARGUMENTS

Más de este repositorio

Más de este repositorio

Code Review and Security Audit

Stack Reminders

Review Checklist

Code Quality

Code Smells

Refactoring Suggestions

Android / IME-Specific Security

Data & Dictionary Integrity

General Security

Output Format

Critical / High

Medium

Low / Informational

How to Run

Task: $ARGUMENTS