一键导入
code-review
Use when asked to review a PR, MR, branch, or diff, audit changed files, or check code quality.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when asked to review a PR, MR, branch, or diff, audit changed files, or check code quality.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use when working on accessibility, a11y, WCAG, ARIA, screen readers, keyboard nav, focus order, contrast, alt text, captions, reduced motion, or target sizes; not language/culture/device (see inclusive-design).
Use when creating a feature, designing folder structure, adding repositories/services/view models, wiring dependency injection, or deciding which layer owns logic.
Use when creating a Cubit or Bloc, modeling state with sealed classes or status enums, wiring BlocBuilder/BlocListener/BlocProvider, writing bloc tests, or choosing between Cubit and Bloc.
Use when writing switch statements, refactoring if-else chains, creating data classes, choosing records vs classes, destructuring values, or modernizing pre-Dart-3 code.
Use when writing Dart code, reviewing for style, refactoring naming, adding doc comments, structuring imports, or enforcing type annotations.
Use when setting up firebase_ai, generating text/chat with Gemini, streaming AI output, building multimodal prompts, or handling AI errors.
| name | code-review |
| description | Use when asked to review a PR, MR, branch, or diff, audit changed files, or check code quality. |
| hooks | {"PreToolUse":[{"matcher":"Bash","hooks":[{"type":"command","command":"./scripts/protect-token.sh"}]}]} |
Perform structured, objective code reviews for Flutter/Dart projects following a repeatable checklist.
Use this skill when:
main, master, develop).Checkpoint: If the branch is behind the target, flag it before proceeding.
Iterate through each changed file. For every file, verify the following:
| Area | What to verify |
|---|---|
| Understand the change | Why was it made? Review connected methods/files; note which ones you analyzed and why |
| Location | File is in the correct directory |
| Naming | File name follows project naming conventions |
| Responsibility | The file's responsibility is clear; reason for change is understandable |
| Readability | Variable, function, and class names are descriptive and consistent |
| Logic & correctness | No logic errors or missing edge cases |
| Code smells | Scan for the smells in Code Smells Reference below |
| Maintainability | Code is modular; no unnecessary duplication |
| Error handling | Errors and exceptions are handled appropriately |
| Security | No input validation gaps; no secrets committed to code |
| Performance | No obvious inefficiencies (e.g., unnecessary rebuilds, O(n^2) loops on large lists) |
| SOLID principles | Adherence assessed without forcing unnecessary boilerplate or over-abstraction |
| Flutter/Dart/Riverpod patterns | Match against the project's loaded guidelines and conventions |
| Documentation | Public APIs, complex logic, and new modules are documented |
| Test coverage | New or changed logic has sufficient tests (see Step 4) |
| Style | Code matches the project's style guide and linting rules |
| Existing code | If the new changes look fine, also review surrounding existing (unchanged) code for smells and suggest refactors where relevant |
For generated files (e.g., *.g.dart, *.freezed.dart): confirm they are up-to-date and not manually modified.
Scope discipline: Your job is not to comment on every change — it's to find errors and concrete improvement areas and comment on those. Don't manufacture comments where the code is fine.
// BAD — rebuilds entire tree on every state change
BlocBuilder<MyCubit, MyState>(
builder: (context, state) => EntireScreen(state: state),
);
// GOOD — scope rebuilds to the widget that actually changes
BlocSelector<MyCubit, MyState, String>(
selector: (state) => state.title,
builder: (context, title) => Text(title),
);
Key usage on dynamically generated widgets.dispose() is called for controllers, streams, and animation controllers.const constructors are used where possible.For each file, check for common code smells. Use refactoring.guru/refactoring/smells for definitions and suggested refactorings.
| Category | Smells |
|---|---|
| Bloaters | Long Method, Large Class, Primitive Obsession, Long Parameter List, Data Clumps |
| Object-Orientation Abusers | Alternative Classes with Different Interfaces, Refused Bequest, Temporary Field, Switch Statements |
| Change Preventers | Divergent Change, Parallel Inheritance Hierarchies, Shotgun Surgery |
| Dispensables | Comments (redundant), Duplicate Code, Data Class, Dead Code, Lazy Class, Speculative Generality |
| Couplers | Feature Envy, Inappropriate Intimacy, Incomplete Library Class, Message Chains, Middle Man |
Verify test coverage explicitly — this is easy to skip and easy to fake, so be deliberate:
Checkpoint: If CI is red or tests are missing for new logic, flag as a blocking issue.
After the per-file pass, decide the outcome:
suggestion, minor, or major.By default, provide the review as a chat response — a structured response covering each file:
suggestion / minor / major) and a concrete fix suggestion.Approved, Approved with suggestions, or Changes requested.Posting comments online (opt-in only). After presenting the chat review, ask the user whether they'd prefer you to also post these comments online on the PR/MR — so the team can see them, review them, and reply. Only post online if the user explicitly says yes. Never post to the platform on your own initiative.
When the user does opt in, post issues as inline comments anchored to the right file and line (use proper position fields), with the conclusion/key-concerns as a top-level review comment and an approval when warranted. This requires a review-bot access token for the platform (GitHub/GitLab); if one isn't configured, let the user know and ask them to set it up before posting.
Token safety. The token is a secret. You may check whether it exists and report its length to confirm it's configured, but never read, echo, log, print, or otherwise reveal the token value — not in chat, not in a file, not in a commit. Pass it to
curlonly by referencing the env var (e.g.$GITLAB_TOKEN), never by inlining the literal value, and avoidcurl -v/--verbose(it prints the auth header). This is enforced by aPreToolUsehook (scripts/protect-token.sh) that blocks any Bash command which would expose the value. See the "Handling the token safely" section in each reference file for the safe existence/length check.The hook fires in both the Claude Code CLI and the Agent SDK. (SDK apps that set
settingSources/setting_sourcesexplicitly must include"project"for skill hooks to load; it's included by default.)For platform-specific API details, curl formats, and approval steps, follow:
- GitLab → references/gitlab-posting.md (uses the
GITLAB_TOKENenv var)- GitHub → references/github-posting.md (uses the
GITHUB_TOKENenv var)