一键在 Manus 中运行任何 Skill

code-review

星标4

分支2

更新时间2026年2月24日 07:59

Security and quality review of uncommitted changes. Checks for vulnerabilities, code smells, and best practice violations. Use before committing.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

nomos-guild

nomos-guild/cgov

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Code Review

Systematic security and quality review of uncommitted changes. Groups findings by severity.

Instructions

Step 1: Get Changed Files

git diff --name-only HEAD
git diff --name-only --cached

Combine staged and unstaged changes. Filter to source files (.ts, .tsx, .js, .jsx). If --staged argument, only review staged files.

Step 2: Get Diffs

For each changed file, get the full diff:

git diff HEAD -- <file>

Read the diff carefully. Focus on ADDED and MODIFIED lines (lines starting with +).

Step 3: Check Each File

Review each changed file against three severity tiers.

CRITICAL (Security) — Blocks commit

Check	Pattern	Why
Hardcoded secrets	API keys, passwords, tokens in source	Credential exposure
SQL injection	String concatenation in SQL queries	Data breach
XSS vulnerability	`dangerouslySetInnerHTML` with user input, unescaped output	Script injection
Missing input validation	API route handlers without validation	Injection attacks
Path traversal	User input in file paths without sanitization	File system access
Exposed server secrets	`BACKEND_API_KEY` or server-only env vars in client code	Key leakage

HIGH (Quality) — Should fix before commit

Check	Pattern	Why
Functions > 80 lines	Count lines in new/modified functions	Maintainability
Nesting > 4 levels	Deeply nested if/for/try blocks	Readability
Missing error handling	Async calls without try-catch, .catch(), or error boundary	Runtime crashes
console.log statements	`console.log(` in production code	Debug noise
TODO/FIXME/HACK comments	Temporary markers being committed	Technical debt
Unused imports	Imports not referenced in changed code	Dead code
Any type usage	`as any`, `: any` in TypeScript	Type safety loss

MEDIUM (Best Practice) — Nice to fix

Check	Pattern	Why
Direct state mutation	Mutating objects/arrays instead of spread	React bugs
Missing loading states	Async data fetching without loading/error UI	UX
Missing accessibility	Interactive elements without aria labels, images without alt	a11y
Hardcoded strings	User-facing text not using i18n (`t()` / `useTranslations`)	i18n
Magic numbers	Unexplained numeric constants	Readability
Missing TypeScript types	Implicit `any` from missing type annotations	Type safety

Step 4: Report

Output findings grouped by severity:

CODE REVIEW: <file count> files reviewed
═══════════════════════════════════════

CRITICAL (X issues) — Must fix before commit
  [C1] src/pages/api/foo.ts:42 — Hardcoded API key in source
  [C2] src/components/Bar.tsx:18 — dangerouslySetInnerHTML with user input

HIGH (X issues) — Should fix
  [H1] src/store/slice.ts:100-180 — Function exceeds 80 lines (80 lines)
  [H2] src/pages/api/bar.ts:25 — Missing try-catch on async operation

MEDIUM (X issues) — Nice to fix
  [M1] src/components/Baz.tsx:55 — Hardcoded "Loading..." string (should use t())
  [M2] src/components/Qux.tsx:12 — Image missing alt attribute

═══════════════════════════════════════
VERDICT: [COMMIT OK / FIX REQUIRED]

Step 5: Verdict

Any CRITICAL → FIX REQUIRED, do not commit
3+ HIGH → FIX REQUIRED
Only MEDIUM → COMMIT OK with suggestions
Clean → COMMIT OK

Project-Specific Checks

Next.js API Routes (`src/pages/api/`)

Must use callApi() from utils/apiHelper.ts for backend proxy (adds X-API-Key server-side)
Must never expose BACKEND_API_KEY to client
Should validate request method (if (req.method !== 'GET'))
Should have error handling with appropriate status codes

Lovelace/ADA Conversion

Raw lovelace values should be transformed in services/api.ts, not in components
Check for division by 1_000_000 in component code (should be in service layer)

Theme Compatibility

New UI elements should work across all 3 themes (light/dark/game)
Check for hardcoded colors that don't use theme variables
Look for bg-white, text-black, border-gray-* without dark: variants

Redux vs SWR

New data fetching for governance data should use SWR hooks from useGovernanceData.ts
DRep data should use hooks from useDRepData.ts
Redux is for backward compat, not new development

同仓库更多 Skills

同仓库

add-chart

nomos-guild/cgov

Scaffold a new dashboard chart component with registry, types, and proper theme integration.

2026-03-034

add-dashboard

nomos-guild/cgov

Create a new customizable dashboard with its own chart registry, provider, and page. Use when adding dashboards like DRep or SPO dashboard.

2026-03-034

context

nomos-guild/cgov

Context window conservation rules. Invoke when approaching context limits or before large tasks.

2026-03-034

reflect

nomos-guild/cgov

Deep reflection on the skill learning system itself. Analyzes what's working, what's stale, and proposes structural improvements. The meta-skill.

2026-03-034

wrap-up

nomos-guild/cgov

End-of-session automation. Creates a journey and evolves skills based on session learnings.

2026-03-034

build-fix

nomos-guild/cgov

Run the build and intelligently fix TypeScript errors with guardrails. Stops if fixes introduce more errors or the same error persists after 3 attempts.

2026-02-244

name	code-review
updated	"2026-02-20T00:00:00.000Z"
description	Security and quality review of uncommitted changes. Checks for vulnerabilities, code smells, and best practice violations. Use before committing.
argument-hint	["--staged\|--all"]
(default	--all uncommitted)
allowed-tools	Bash, Read, Grep, Glob, TodoWrite

Code Review

Systematic security and quality review of uncommitted changes. Groups findings by severity.

Instructions

Step 1: Get Changed Files

git diff --name-only HEAD
git diff --name-only --cached

Combine staged and unstaged changes. Filter to source files (.ts, .tsx, .js, .jsx). If --staged argument, only review staged files.

Step 2: Get Diffs

For each changed file, get the full diff:

git diff HEAD -- <file>

Read the diff carefully. Focus on ADDED and MODIFIED lines (lines starting with +).

Step 3: Check Each File

Review each changed file against three severity tiers.

CRITICAL (Security) — Blocks commit

Check	Pattern	Why
Hardcoded secrets	API keys, passwords, tokens in source	Credential exposure
SQL injection	String concatenation in SQL queries	Data breach
XSS vulnerability	`dangerouslySetInnerHTML` with user input, unescaped output	Script injection
Missing input validation	API route handlers without validation	Injection attacks
Path traversal	User input in file paths without sanitization	File system access
Exposed server secrets	`BACKEND_API_KEY` or server-only env vars in client code	Key leakage

HIGH (Quality) — Should fix before commit

Check	Pattern	Why
Functions > 80 lines	Count lines in new/modified functions	Maintainability
Nesting > 4 levels	Deeply nested if/for/try blocks	Readability
Missing error handling	Async calls without try-catch, .catch(), or error boundary	Runtime crashes
console.log statements	`console.log(` in production code	Debug noise
TODO/FIXME/HACK comments	Temporary markers being committed	Technical debt
Unused imports	Imports not referenced in changed code	Dead code
Any type usage	`as any`, `: any` in TypeScript	Type safety loss

MEDIUM (Best Practice) — Nice to fix

Check	Pattern	Why
Direct state mutation	Mutating objects/arrays instead of spread	React bugs
Missing loading states	Async data fetching without loading/error UI	UX
Missing accessibility	Interactive elements without aria labels, images without alt	a11y
Hardcoded strings	User-facing text not using i18n (`t()` / `useTranslations`)	i18n
Magic numbers	Unexplained numeric constants	Readability
Missing TypeScript types	Implicit `any` from missing type annotations	Type safety

Step 4: Report

Output findings grouped by severity:

CODE REVIEW: <file count> files reviewed
═══════════════════════════════════════

CRITICAL (X issues) — Must fix before commit
  [C1] src/pages/api/foo.ts:42 — Hardcoded API key in source
  [C2] src/components/Bar.tsx:18 — dangerouslySetInnerHTML with user input

HIGH (X issues) — Should fix
  [H1] src/store/slice.ts:100-180 — Function exceeds 80 lines (80 lines)
  [H2] src/pages/api/bar.ts:25 — Missing try-catch on async operation

MEDIUM (X issues) — Nice to fix
  [M1] src/components/Baz.tsx:55 — Hardcoded "Loading..." string (should use t())
  [M2] src/components/Qux.tsx:12 — Image missing alt attribute

═══════════════════════════════════════
VERDICT: [COMMIT OK / FIX REQUIRED]

Step 5: Verdict

Any CRITICAL → FIX REQUIRED, do not commit
3+ HIGH → FIX REQUIRED
Only MEDIUM → COMMIT OK with suggestions
Clean → COMMIT OK

Project-Specific Checks

Next.js API Routes (`src/pages/api/`)

Must use callApi() from utils/apiHelper.ts for backend proxy (adds X-API-Key server-side)
Must never expose BACKEND_API_KEY to client
Should validate request method (if (req.method !== 'GET'))
Should have error handling with appropriate status codes

Lovelace/ADA Conversion

Raw lovelace values should be transformed in services/api.ts, not in components
Check for division by 1_000_000 in component code (should be in service layer)

Theme Compatibility

New UI elements should work across all 3 themes (light/dark/game)
Check for hardcoded colors that don't use theme variables
Look for bg-white, text-black, border-gray-* without dark: variants

Redux vs SWR

New data fetching for governance data should use SWR hooks from useGovernanceData.ts
DRep data should use hooks from useDRepData.ts
Redux is for backward compat, not new development

code-review

Code Review

Instructions

Step 1: Get Changed Files

Step 2: Get Diffs

Step 3: Check Each File

CRITICAL (Security) — Blocks commit

HIGH (Quality) — Should fix before commit

MEDIUM (Best Practice) — Nice to fix

Step 4: Report

Step 5: Verdict

Project-Specific Checks

Next.js API Routes (src/pages/api/)

Lovelace/ADA Conversion

Theme Compatibility

Redux vs SWR

同仓库更多 Skills

同仓库更多 Skills

Code Review

Instructions

Step 1: Get Changed Files

Step 2: Get Diffs

Step 3: Check Each File

CRITICAL (Security) — Blocks commit

HIGH (Quality) — Should fix before commit

MEDIUM (Best Practice) — Nice to fix

Step 4: Report

Step 5: Verdict

Project-Specific Checks

Next.js API Routes (src/pages/api/)

Lovelace/ADA Conversion

Theme Compatibility

Redux vs SWR

Next.js API Routes (`src/pages/api/`)

Next.js API Routes (`src/pages/api/`)