원클릭으로
expert-review
Expert-level multi-language code review, simplification, debugging, and security audit
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Expert-level multi-language code review, simplification, debugging, and security audit
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Render a single "where am I, what have I done, what's next" survey HTML page composing anchor cascade + tesseract shelf + git state + CHECKPOINT.md + TaskList. Read-only by design.
Subagent-driven development as the explicit combination of /subagent-driven-development (sequential, review-gated execution) and /dispatching-parallel-agents (independent fan-out). Opens with one combined pre-dispatch question to set the execution mode and the edit-approval mode, then dispatches accordingly.
Use when a discrete task boundary is crossed in multi-step work — step completion, subagent dispatch return, Skill-tool invocation return, /proceed gate passed, test-run completion, or file-write to a durable artifact (spec, plan, SKILL.md). Do not substitute an in-place TaskList update for this skill.
Use when resuming paused work, starting a session where a CHECKPOINT.md exists, or when the user says "continue from checkpoint", "resume", or "pick up where we left off"
Use when pausing work that will be resumed later, when switching contexts, or when the user asks to save a checkpoint. Creates a CHECKPOINT.md that captures full resumption context.
retry last operation attempted before the user interrupted the process, or otherwise continue last attempted tool use
| name | expert-review |
| description | Expert-level multi-language code review, simplification, debugging, and security audit |
| allowed-tools | Bash(git diff:*), Bash(git status:*), Bash(git log:*), Bash(git show:*), Bash(git blame:*), Bash(git remote show:*), Bash(gh pr:*), Bash(gh issue:*), Read, Glob, Grep, LS, Task, Edit, Write |
| argument-hint | [scope] [target|directive] |
| user-invocable | true |
Review Scope (optional): "$ARGUMENTS"
Parse arguments to identify requested review aspects and target:
help — Display all available scopes and usage, then stopsecurity — Security-focused vulnerability assessmentsimplify — Code simplification for clarity and maintainabilityreview — General code review for bugs, patterns, CLAUDE.md compliancedebug — Systematic debugging of a specific issuetypes — Type design analysis (encapsulation, invariants, enforcement)errors — Silent failure hunting and error handling auditarchitect — Architecture analysis and implementation blueprintcustom — User-defined review focus; remaining arguments specify the
criteria (e.g. custom "check for N+1 queries in src/repositories/")all — Run all applicable reviews (default)If scope is help, print this list and exit without running any review
phases.
Gather context:
git status
git diff --name-only origin/HEAD... 2>/dev/null || git diff --name-only HEAD~1
git log --oneline -10
Identify the language(s) in scope and apply language-specific expertise:
If cloud infrastructure code is detected (Terraform, CloudFormation, CDK, Bicep, ARM templates, Pulumi, serverless configs), apply cloud-specific expertise:
Read any CLAUDE.md files in the project root and affected directories for project-specific conventions.
Launch parallel sub-agents for independent review perspectives:
Audit changes against all applicable CLAUDE.md rules. Verify imports, naming, framework conventions, error handling, logging, testing practices, and platform compatibility.
Read file changes and scan for obvious bugs. Focus on:
Read git blame and history of modified code. Identify bugs in light of historical context, reverted patterns, and known fragile areas.
Read previous PRs that touched these files. Check for recurring review comments that apply to the current changes.
Read inline comments in modified files. Verify changes comply with guidance in comments (TODOs, invariant notes, safety comments).
Confidence Scoring (apply to every finding):
Filter threshold: >= 80 confidence only.
Self-Verification for High-Confidence Code Claims:
Before presenting any finding ≥ 90 confidence that names a specific code location (file:line or function name), the main agent MUST re-trace the claim against the source before showing it to the user:
Read tool.If the claim does not survive re-trace, downgrade or drop it. Do NOT pass high-confidence sub-agent findings through to the user verbatim. This rule applies equally to parallel-reviewer aggregation and to single-phase output.
Rationalization counter (re: the self-verify step):
| Excuse | Reality |
|---|---|
| "Three reviews came back — let me synthesize and report" | Synthesis ≠ verification. Each ≥ 90 claim is a sub-agent hypothesis, not a fact. Re-trace before presenting. |
| "The reviewer was confident (95/100)" | Confidence is the sub-agent's self-assessment, not ground truth. Re-verify the specific trace. |
| "The user authorized /proceed, there's no time" | /proceed authorizes passing the gate, not skipping verification. Critical claims get re-traced regardless. |
| "Retracting later is fine" | A retracted phantom critical costs more context and trust than verifying up front. |
False Positive Exclusions:
Only flag issues with >80% confidence of actual exploitability. Better to miss theoretical issues than flood with false positives.
Input Validation:
Authentication & Authorization:
Crypto & Secrets:
Injection & Code Execution:
Data Exposure:
0.0.0.0/0, Cloud
Functions with unauthenticated invocation on sensitive endpoints, missing VPC
Service Controls for sensitive projects, default service account usage with
editor role* actions/resources), public S3
buckets, unencrypted storage (EBS, RDS, S3), security groups open to
0.0.0.0/0 on sensitive ports, missing CloudTrail/logging, hardcoded
credentials in CloudFormation/CDK, Lambda environment variables with secrets
(use Secrets Manager/SSM), cross-account access without external ID, missing
VPC endpoints for AWS servicesAny on
sensitive ports, missing diagnostic settings, managed identity not used where
available, missing private endpoints for PaaS services, Azure AD app
registrations with excessive API permissionsAnalyze recently modified code and apply refinements that:
pathlib
over os.path, use match statements ( 3.10+)final over var, leverage
collection-if/collection-forfor_each over count for named resources,
consolidate repeated IAM bindings into google_project_iam_policy or member
blocks, prefer workload identity over service account keys, use modules for
repeated patterns!Sub over !Join/Fn::Join for string
interpolation, consolidate duplicate IAM statements, prefer CDK L2/L3
constructs over L1 (Cfn*) when availableexisting
keyword instead of reference(), prefer user-assigned managed identity over
system-assigned when shared across resourcesSystematically locate and scrutinize:
Logging Quality:
User Feedback:
Catch Block Specificity:
Fallback Behavior:
Error Propagation:
For every new or modified type definition:
prevent_destroy lifecycle on stateful resources,
overly broad OAuth scopes, missing labels for cost attribution, default
network usageRemovalPolicy.RETAIN on stateful resources, Lambda permissions broader than
needed, missing resource-based policieslock on critical resources, overly permissive CORS
settings, missing minTlsVersion, storage accounts without lifecycle
management policiesWhen architect scope is requested:
When custom scope is requested:
$ARGUMENTS; fall back to the diff if no target is specified.[Category] field set to a short label derived from the custom
directive (e.g. N+1, ThreadSafety, BlockingIO).How to tell the difference: a review-shaped directive asks "what's wrong with X?" or "where does X fail?" — the output is a list of issues with severity. A non-review directive asks "draft / write / summarize / describe X" — the output is the artifact itself, not a critique.
Use this scope when the built-in phases do not cover the specific concern the user wants investigated or the deliverable the user wants produced.
Rationalization counter:
| Excuse | Reality |
|---|---|
| "Phase 7 says 'Report findings using the Code Review output format'" | That clause assumed every custom directive is review-shaped. It isn't. For drafting/summarizing directives, the format-appropriate output IS the finding. |
| "I should at least include the Findings Summary table" | If there are no findings, the table is empty. Don't pad. Deliver the artifact the user asked for. |
| "Staying rigid to the prescribed format is safer" | It's not — it produces confusing output that doesn't answer the directive. The skill's purpose is to serve the directive, not the format. |
# Expert Review: [scope]
## Critical Issues (must fix)
1. **[Category]** `file:line` — Description
- Confidence: X/100
- Impact: [description]
- Fix: [concrete recommendation]
## Important Issues (should fix)
1. **[Category]** `file:line` — Description
- Confidence: X/100
- Fix: [concrete recommendation]
## Simplification Opportunities
1. `file:line` — [what can be simplified and how]
## Strengths
- [What is well-done in this code]
## Summary
- X critical, Y important, Z simplification opportunities
- Recommended action: [prioritized next steps]
# Vuln N: [Category]: `file:line`
- Severity: High|Medium
- Confidence: X/10
- Description: [what is wrong]
- Exploit Scenario: [concrete attack path]
- Recommendation: [specific fix with code example]
## Type: [TypeName]
### Invariants Identified
- [list]
### Ratings
- Encapsulation: X/10
- Invariant Expression: X/10
- Invariant Usefulness: X/10
- Invariant Enforcement: X/10
### Concerns and Recommendations
- [actionable suggestions]
Launch phases 1-5 as parallel sub-agents where possible; Phase 7 may itself dispatch parallel sub-agents when the custom directive decomposes into independent checks. Each sub-agent should include the full context of its phase instructions above.
Final reminder: Focus on HIGH and MEDIUM findings only. Every finding should be something a senior engineer would confidently raise. Cite specific file:line references. Provide concrete fixes, not vague suggestions.
As the very last section of your output, produce a consolidated table of all findings:
## Findings Summary
| # | Phase | Severity | Category | File:Line | Description | Confidence |
| --- | -------- | -------- | -------------- | --------------- | ------------------------------- | ---------- |
| 1 | Review | Critical | Bug | `src/foo.py:42` | Off-by-one in loop bound | 92/100 |
| 2 | Security | High | Injection | `src/api.py:15` | Unsanitized SQL parameter | 9/10 |
| 3 | Errors | High | Silent failure | `src/svc.py:88` | Broad except swallows TypeError | 85/100 |
| … | … | … | … | … | … | … |
**Totals:** X critical · Y high · Z medium · W simplification opportunities
**Recommended action:** [1-2 sentence prioritized next step]
Include every reported finding in the table — this serves as a quick-reference index for the full review above.
When you need deeper context on a finding or recommendation, use WebFetch to
retrieve the relevant reference below. These are canonical, LLM-optimized
sources — prefer them over general web search.
AWS:
GCP:
| Topic | URL |
|---|---|
| IAM Best Practices | https://cloud.google.com/iam/docs/using-iam-securely |
| Security Foundations | https://cloud.google.com/architecture/security-foundations |
| VPC Service Controls | https://cloud.google.com/vpc-service-controls/docs/overview |
| Cloud Storage Security | https://cloud.google.com/storage/docs/best-practices#security |
| Workload Identity | https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity |
| Terraform GCP | https://cloud.google.com/docs/terraform/best-practices-for-terraform |
| Security Command Center | https://cloud.google.com/security-command-center/docs/concepts-vulnerabilities-findings |
Azure:
| Topic | URL |
|---|---|
| Terraform Best Practices | https://developer.hashicorp.com/terraform/cloud-docs/recommended-practices |
| Terraform Style Guide | https://developer.hashicorp.com/terraform/language/style |
| CDK Patterns | https://cdkpatterns.com/ |
| Checkov (IaC Scanner) | https://www.checkov.io/1.Welcome/What%20is%20Checkov.html |
| tfsec Rules | https://aquasecurity.github.io/tfsec/latest/ |
| Topic | URL |
|---|---|
| Error Handling (OWASP) | https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html |
| Logging (OWASP) | https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html |
| Algebraic Data Types | https://doc.rust-lang.org/book/ch06-00-enums.html |
| Domain Modeling (F# for Fun) | https://fsharpforfunandprofit.com/ddd/ |
| Parse Don't Validate | https://lexi-lambda.github.io/blog/posts/2019-11-05-parse-don-t-validate.html |