원클릭으로 Manus에서 모든 스킬 실행

code-review

Use when reviewing branch or PR changes against a base branch for correctness, security, concurrency, architecture, maintainability, testing, and performance risks.

Manus에서 실행

스타0

포크0

업데이트2026년 6월 2일 14:06

출처

tkxkd0159

tkxkd0159/agent-plugins

GitHub 저장소 열기 Creator 저장소 보기

설치 명령

다운로드

Manus에서 실행

유용한 대상SOC

소프트웨어 품질 보증 분석가·테스터컴퓨터 및 수학직15-1253L4

SKILL.md

readonly

name	code-review
description	Use when reviewing branch or PR changes against a base branch for correctness, security, concurrency, architecture, maintainability, testing, and performance risks.
argument-hint	[--base BRANCH] [--comment [LANGUAGE]]
disable-model-invocation	true

Code Review

Review the current branch or PR against a base branch with adversarial, evidence-based scrutiny. Prefer concrete regressions over style feedback.

Default to a single pass. One reviewer reads the whole diff against the checklist in step 3; a single context keeps cross-cutting bugs (e.g. a change that is both a concurrency and a security issue) visible and findings high-signal. Reserve isolated subagents for one case: a diff too large to review in one focused pass. Partition the substantive files into a few cohesive groups (by module/directory), review each group against the full checklist — sequentially, or as a handful of parallel subagents — then merge and dedup. Never fan out by lens, and never one subagent per file — both fragment cross-cutting bugs and inflate false positives.

Inputs

Default base: origin/main. --base BRANCH compares against BRANCH.
--comment [LANGUAGE]: after the report, gate posting through Posting (below) — the user approves a subset in chat and only that subset is posted via add-pr-comments. LANGUAGE sets comment language (default English). Without --comment, the report (step 6) is the final artifact and nothing is posted.

Workflow

Pin the comparison. Set BASE_BRANCH from --base or origin/main, then:
```
HEAD_SHA=$(git rev-parse HEAD)
MERGE_BASE=$(git merge-base "$BASE_BRANCH" "$HEAD_SHA")
```
Review "$MERGE_BASE".."$HEAD_SHA" for the entire pass.
Inventory the diff: changed files, shortstat, added/deleted files, diff body. Ignore generated files, vendored code, lockfiles, snapshots, and docs-only changes unless they affect runtime, build, or security.

Read the whole diff against this checklist — or, if it is too large for one focused pass, partition it as described in the intro. correctness always applies; the rest are cues — weight attention to what the diff actually touches. Gather evidence first (cited ranges, prior vs current behavior, touched callers, reachable inputs), then draft a finding only from evidence: title, severity, confidence, file:line, failure mode, fix.

Lens	Look for
`correctness`	logic, null handling, contracts, stale callers, data corruption, migrations, cache staleness, unreachable code
`security`	auth/authz, injection, unsafe deserialization, SSRF, path traversal, tenant or PII leaks
`concurrency`	non-atomic updates, lock ordering, cancellation hazards, retry interactions, double-submit/double-process
`architecture`	boundary breaks, dependency direction, wrong-layer abstractions, cross-module coupling
`maintainability`	brittle abstractions, unclear invariants, accidental complexity, obvious simplification not taken
`testing`	coverage gaps for changed behavior, weak assertions, flakiness, fixture pollution
`performance`	query shape, N+1s, hot-path allocations, nested loops over user data, missing or wrong caching

Apply the bar. Self-critique each candidate from the PR author's perspective and keep only what the author would clearly fix. Returning zero findings is correct — if nothing clears the bar, say so; never pad the report. Move plausible-but-unverified concerns to residual risks.
Validate every surviving finding against the current code and diff; drop anything the cited range does not support. Dedup overlapping findings, keeping the strongest severity/confidence.
Report in this order:
- Review range: <merge-base>..<HEAD> resolved to short SHAs
- Verdict: exactly one of ready to approve, ready after fixes, or not ready — one line, naming the blockers if any
- Findings: title, SEV/CONF, file:line, failure mode, fix
- Cross-cutting risks, if any
- Residual risks: plausible-but-unverified concerns, if any
If --comment is set, gate posting through Posting below — the only path that writes to GitHub, and only after explicit user approval.

Posting (`--comment`)

Posting is the only irreversible step — never invoke add-pr-comments or any gh write until the user approves the final set.

List the surviving findings with stable IDs (F1, F2, …). Ask the user to reply keep / drop / dive per finding — e.g. "drop F2, dive F4: check the lock at L138, keep the rest."
For each dive, re-investigate the finding inline against the cited code (with surrounding context), its lens, and the user's hint. Report the refined finding — or that it cannot be substantiated — then re-confirm keep/drop on it.
Show the final to-be-posted set and wait for an explicit go-ahead.
Re-check git rev-parse HEAD; if it moved since the review, warn that line anchors may have shifted and confirm before continuing. Hand the kept set + LANGUAGE (default English) to add-pr-comments.
If nothing is kept, post nothing and say so.

Follow-ups

After the report, answer user follow-ups conversationally:

Clarification ("why is F2 high severity?"): answer from the cited evidence; if the question is outside the diff, say so.
Deep dive ("F4 looks shallow — did you check the lock at line 138?"): re-investigate the finding inline against the cited code (with surrounding context), its lens, and the user's hint; report the refined finding.
More lenses ("focus on security too"): re-read the same merge-base/HEAD diff with that lens weighted and report.

Severity

critical: exploitable security issue, auth bypass, data loss, corruption, severe outage
high: likely production failure or serious regression
medium: real bug under a plausible edge case
low: non-trivial issue worth fixing, not a blocker

A blocker is a finding that makes the change unsafe to merge as-is — critical or high by default, a medium only when its edge case is plausible in practice; low is never a blocker.

Confidence

high: directly supported by cited code
medium: strong evidence with one assumption
low: plausible but speculative — prefer residual risk over a low-confidence finding

Avoid

Pre-existing issues this change neither introduces nor worsens
Style nits, formatting, subjective preferences, or linter-level issues
"Check / verify / ensure / confirm X" hedges, or any comment that does not name a concrete failure mode
Missing tests without a concrete regression risk
Claims that cannot be verified from the diff and current code

이 저장소의 다른 Skills

같은 저장소

add-pr-comments

tkxkd0159/agent-plugins

Use when posting validated code review findings as GitHub PR line-level comments or a GitHub PR review after completing a review.

2026-06-020

karl-popper

tkxkd0159/agent-plugins

Applies Karl Popper’s critical rationalism to software engineering, programming, and product building by treating requirements, designs, implementations, and product ideas as falsifiable hypotheses. Emphasizes conjectures and refutations, explicit assumptions, fast error discovery, small risky experiments, observable failure signals, reversible designs, and iterative elimination of mistakes.

2026-05-270

grill-me

tkxkd0159/agent-plugins

Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree. Use when user wants to stress-test a plan, get grilled on their design.

2026-05-130

coding-guidelines

tkxkd0159/agent-plugins

Baseline coding behavior. Use before writing, reviewing, debugging, or refactoring code. Establishes ground rules for assumptions, simplicity, surgical edits, and verification.

2026-05-120

sync-plugin-manifests

tkxkd0159/agent-plugins

Generate or check Codex CLI .codex-plugin/plugin.json and Gemini CLI gemini-extension.json manifests from a Claude Code .claude-plugin/plugin.json source manifest. Use when maintaining one plugin across Claude Code, Codex CLI, and Gemini CLI, syncing plugin metadata, preserving platform-specific manifest fields, or validating cross-platform plugin manifests before release.

2026-05-110

improve-article

tkxkd0159/agent-plugins

Use when improving an article or long-form draft for structure, clarity, coherence, flow, readability, or prose quality while preserving meaning, accuracy, intent, and voice.

2026-05-110

name	code-review
description	Use when reviewing branch or PR changes against a base branch for correctness, security, concurrency, architecture, maintainability, testing, and performance risks.
argument-hint	[--base BRANCH] [--comment [LANGUAGE]]
disable-model-invocation	true

Code Review

Review the current branch or PR against a base branch with adversarial, evidence-based scrutiny. Prefer concrete regressions over style feedback.

Inputs

Default base: origin/main. --base BRANCH compares against BRANCH.
--comment [LANGUAGE]: after the report, gate posting through Posting (below) — the user approves a subset in chat and only that subset is posted via add-pr-comments. LANGUAGE sets comment language (default English). Without --comment, the report (step 6) is the final artifact and nothing is posted.

Workflow

Pin the comparison. Set BASE_BRANCH from --base or origin/main, then:
```
HEAD_SHA=$(git rev-parse HEAD)
MERGE_BASE=$(git merge-base "$BASE_BRANCH" "$HEAD_SHA")
```
Review "$MERGE_BASE".."$HEAD_SHA" for the entire pass.
Inventory the diff: changed files, shortstat, added/deleted files, diff body. Ignore generated files, vendored code, lockfiles, snapshots, and docs-only changes unless they affect runtime, build, or security.

Lens	Look for
`correctness`	logic, null handling, contracts, stale callers, data corruption, migrations, cache staleness, unreachable code
`security`	auth/authz, injection, unsafe deserialization, SSRF, path traversal, tenant or PII leaks
`concurrency`	non-atomic updates, lock ordering, cancellation hazards, retry interactions, double-submit/double-process
`architecture`	boundary breaks, dependency direction, wrong-layer abstractions, cross-module coupling
`maintainability`	brittle abstractions, unclear invariants, accidental complexity, obvious simplification not taken
`testing`	coverage gaps for changed behavior, weak assertions, flakiness, fixture pollution
`performance`	query shape, N+1s, hot-path allocations, nested loops over user data, missing or wrong caching

Apply the bar. Self-critique each candidate from the PR author's perspective and keep only what the author would clearly fix. Returning zero findings is correct — if nothing clears the bar, say so; never pad the report. Move plausible-but-unverified concerns to residual risks.
Validate every surviving finding against the current code and diff; drop anything the cited range does not support. Dedup overlapping findings, keeping the strongest severity/confidence.
Report in this order:
- Review range: <merge-base>..<HEAD> resolved to short SHAs
- Verdict: exactly one of ready to approve, ready after fixes, or not ready — one line, naming the blockers if any
- Findings: title, SEV/CONF, file:line, failure mode, fix
- Cross-cutting risks, if any
- Residual risks: plausible-but-unverified concerns, if any
If --comment is set, gate posting through Posting below — the only path that writes to GitHub, and only after explicit user approval.

Posting (`--comment`)

Posting is the only irreversible step — never invoke add-pr-comments or any gh write until the user approves the final set.

List the surviving findings with stable IDs (F1, F2, …). Ask the user to reply keep / drop / dive per finding — e.g. "drop F2, dive F4: check the lock at L138, keep the rest."
For each dive, re-investigate the finding inline against the cited code (with surrounding context), its lens, and the user's hint. Report the refined finding — or that it cannot be substantiated — then re-confirm keep/drop on it.
Show the final to-be-posted set and wait for an explicit go-ahead.
Re-check git rev-parse HEAD; if it moved since the review, warn that line anchors may have shifted and confirm before continuing. Hand the kept set + LANGUAGE (default English) to add-pr-comments.
If nothing is kept, post nothing and say so.

Follow-ups

After the report, answer user follow-ups conversationally:

Clarification ("why is F2 high severity?"): answer from the cited evidence; if the question is outside the diff, say so.
Deep dive ("F4 looks shallow — did you check the lock at line 138?"): re-investigate the finding inline against the cited code (with surrounding context), its lens, and the user's hint; report the refined finding.
More lenses ("focus on security too"): re-read the same merge-base/HEAD diff with that lens weighted and report.

Severity

critical: exploitable security issue, auth bypass, data loss, corruption, severe outage
high: likely production failure or serious regression
medium: real bug under a plausible edge case
low: non-trivial issue worth fixing, not a blocker

A blocker is a finding that makes the change unsafe to merge as-is — critical or high by default, a medium only when its edge case is plausible in practice; low is never a blocker.

Confidence

high: directly supported by cited code
medium: strong evidence with one assumption
low: plausible but speculative — prefer residual risk over a low-confidence finding

Avoid

Pre-existing issues this change neither introduces nor worsens
Style nits, formatting, subjective preferences, or linter-level issues
"Check / verify / ensure / confirm X" hedges, or any comment that does not name a concrete failure mode
Missing tests without a concrete regression risk
Claims that cannot be verified from the diff and current code

code-review

Code Review

Inputs

Workflow

Posting (--comment)

Follow-ups

Severity

Confidence

Avoid

이 저장소의 다른 Skills

이 저장소의 다른 Skills

Code Review

Inputs

Workflow

Posting (--comment)

Follow-ups

Severity

Confidence

Avoid

Posting (`--comment`)

Posting (`--comment`)