// Comprehensive code review for diffs. Analyzes changed code for security vulnerabilities, anti-patterns, and quality issues. Auto-detects domain (frontend/backend) from file paths.
| name | code-review |
| description | Comprehensive code review for diffs. Analyzes changed code for security vulnerabilities, anti-patterns, and quality issues. Auto-detects domain (frontend/backend) from file paths. |
| allowed-tools | Bash, Read, Edit, Write, Grep, Glob, Task |
You are performing a comprehensive code review on a diff. Your task is to analyze the changed code for security vulnerabilities, anti-patterns, and quality issues.
This skill expects a diff to be provided in context before invocation. The caller is responsible for generating the diff.
Example invocations:
/code-reviewgit diff HEAD~1, then invokes this skillIf no diff is present in context, ask the user to provide one or offer to generate one (e.g., git diff, git diff main..HEAD).
Auto-detect which checklists to apply based on directory paths in the diff:
| Directory | Domain | Checklist |
|---|---|---|
designer/ | Frontend | Read frontend.md |
server/ | Backend | Read backend.md |
rag/ | Backend | Read backend.md |
runtimes/universal/ | Backend | Read backend.md |
cli/ | CLI/Go | Generic checks only |
config/ | Config | Generic checks only |
If the diff spans multiple domains, load all relevant checklists.
Extract from the diff:
Create a review document using the temp-files pattern:
SANITIZED_PATH=$(echo "$PWD" | tr '/' '-')
REPORT_DIR="/tmp/claude/${SANITIZED_PATH}/reviews"
mkdir -p "$REPORT_DIR"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
FILEPATH="${REPORT_DIR}/code-review-${TIMESTAMP}.md"
Initialize with this schema:
# Code Review Report
**Date**: {current date}
**Reviewer**: Code Review Agent
**Source**: {e.g., "PR diff", "unstaged changes", "main..HEAD"}
**Files Changed**: {count}
**Domains Detected**: {list}
**Status**: In Progress
## Summary
| Category | Items Checked | Passed | Failed | Findings |
|----------|---------------|--------|--------|----------|
| Security | 0 | 0 | 0 | 0 |
| Code Quality | 0 | 0 | 0 | 0 |
| LLM Code Smells | 0 | 0 | 0 | 0 |
| Impact Analysis | 0 | 0 | 0 | 0 |
| Simplification | 0 | 0 | 0 | 0 |
{domain-specific categories added based on detected domains}
## Detailed Findings
{findings added here as review progresses}
For EACH checklist item:
Key principle: The diff is what gets reviewed. The rest of the file provides context to make that review accurate.
Check if the diff might affect other parts of the codebase:
Report any unaccounted-for impacts as findings with severity based on risk.
For each issue found, add an entry:
### [{CATEGORY}] {Item Name}
**Status**: FAIL
**Severity**: Critical | High | Medium | Low
**Scope**: Changed code | Impact analysis
#### Violation
- **File**: `path/to/file.ext`
- **Line(s)**: 42-48 (from diff)
- **Code**:
// problematic code snippet from diff
- **Issue**: {explanation of what's wrong}
- **Recommendation**: {how to fix it}
After completing all checks:
These checks apply to ALL changed code regardless of domain.
Check diff for:
api_key, apiKey, password, secret, token, credential with literal valuesPass criteria: No hardcoded secrets in diff (should use environment variables) Severity: Critical
Check diff for:
eval(, new Function(, setTimeout(", setInterval("eval(, exec(, compile(Pass criteria: No dynamic code execution in changed lines Severity: Critical
Check diff for:
subprocess with shell=True, os.system(exec.Command( with unsanitized inputPass criteria: No unvalidated user input in shell commands Severity: Critical
Check diff for:
console.log, console.debug, console.infoprint( statementsPass criteria: No debug statements in production code changes Severity: Low
Check diff for:
TODO:, FIXME:, HACK:, XXX: commentsPass criteria: New TODOs should be tracked in issues Severity: Low
Check diff for:
catch { } or catch(e) { }except: pass or empty except blocksPass criteria: All error handlers log or rethrow Severity: High
Check diff for:
TODO, PLACEHOLDER, IMPLEMENT, NotImplementedreturn None, return [], return {}Pass criteria: No placeholder implementations in production code Severity: High
Check diff for:
GenericHandler, BaseManager, AbstractFactoryPass criteria: Abstractions are justified by actual reuse Severity: Low
Check if diff modifies:
Pass criteria: All impacted code identified and accounted for Severity: High (if unaccounted impacts found)
Check diff for:
Pass criteria: No obvious duplication in changed code Severity: Medium Suggestion: Extract shared logic into reusable functions
Check diff for:
Pass criteria: Code is reasonably flat and focused Severity: Medium Suggestion: Use early returns, extract helper functions
Check diff for:
Pass criteria: Code uses idiomatic patterns Severity: Low Suggestion: Simplify using language built-ins
Based on detected domains, read and apply the appropriate checklists:
designer/): Read frontend.md and apply those checks to changed codeserver/, rag/, runtimes/): Read backend.md and apply those checks to changed code## Executive Summary
**Review completed**: {timestamp}
**Total findings**: {count}
### Critical Issues (Must Fix)
1. {issue 1}
2. {issue 2}
### Impact Analysis Results
- {summary of any breaking changes or unaccounted impacts}
### High Priority (Should Fix)
1. {issue 1}
2. {issue 2}
### Recommendations
{Overall recommendations based on the changes reviewed}
Scope to diff: Only flag issues in the changed lines. Don't review unchanged code.
Use context: Read full files to understand the changes, but feedback targets the diff only.
Check impacts: When changes touch exports, APIs, or shared code, search for affected consumers.
Be specific: Include file paths, line numbers (from diff), and code snippets for every finding.
Prioritize: Flag critical security issues immediately.
Provide solutions: Each finding should include a recommendation for how to fix it.
Update incrementally: Update the review document after each category, not at the end.
CLI best practices for LlamaFarm. Covers Cobra, Bubbletea, Lipgloss patterns for Go CLI development.
Electron patterns for LlamaFarm Desktop. Covers main/renderer processes, IPC, security, and packaging.
Shared Python best practices for LlamaFarm. Covers patterns, async, typing, testing, error handling, and security.
Server-specific best practices for FastAPI, Celery, and Pydantic. Extends python-skills with framework-specific patterns.
Shared TypeScript best practices for Designer and Electron subsystems.
Manage LlamaFarm worktrees for isolated parallel development. Create, start, stop, and clean up worktrees.