Code Review Skill

Perform comprehensive code reviews following industry best practices.

1. Security Review

Check for OWASP Top 10 vulnerabilities:

SQL Injection:

# Search for SQL injection risks
grep -r "execute.*\+" . --include="*.py" --include="*.js" --include="*.php"
grep -r "query.*\+" . --include="*.py" --include="*.js"
grep -r "SELECT.*%" . --include="*.py"

XSS (Cross-Site Scripting):

# Check for unescaped output
grep -r "innerHTML\s*=" . --include="*.js" --include="*.jsx"
grep -r "dangerouslySetInnerHTML" . --include="*.jsx" --include="*.tsx"
grep -r "render_template_string" . --include="*.py"

Command Injection:

# Check for command injection
grep -r "exec\|eval\|system\|shell_exec" . --include="*.py" --include="*.js" --include="*.php"
grep -r "os\.system\|subprocess\.call" . --include="*.py"
grep -r "child_process\.exec" . --include="*.js"

Hardcoded Secrets:

# Find potential secrets
grep -r "password\s*=\s*['\"]" . --include="*.py" --include="*.js" --include="*.java"
grep -r "api_key\s*=\s*['\"]" . --include="*.py" --include="*.js"
grep -r "secret\s*=\s*['\"]" . --include="*.py" --include="*.js"
grep -r "Bearer\s\+[A-Za-z0-9]" . --include="*.py" --include="*.js"

Insecure Deserialization:

# Check for insecure deserialization
grep -r "pickle\.loads\|yaml\.load\|eval\|exec" . --include="*.py"
grep -r "JSON\.parse.*localStorage" . --include="*.js"
grep -r "unserialize" . --include="*.php"

2. Code Quality Review

Complexity Analysis:

# Find long functions (potential complexity issues)
grep -n "def \|function " . -r --include="*.py" --include="*.js" | while read line; do
    echo "$line"
done

# Find files with too many lines
find . -name "*.py" -o -name "*.js" | xargs wc -l | sort -rn | head -20

Code Smells:

# Find duplicate code patterns
# God classes (too many methods)
grep -c "def \|function " **/*.py **/*.js

# Long parameter lists
grep "def.*,.*,.*,.*,.*," . -r --include="*.py"
grep "function.*,.*,.*,.*,.*," . -r --include="*.js"

# Magic numbers
grep -r "\s[0-9]\{3,\}" . --include="*.py" --include="*.js" | grep -v "test"

Naming Conventions:

# Check naming conventions
# Python: snake_case for functions
grep "def [A-Z]" . -r --include="*.py"

# JavaScript: camelCase for functions
grep "function [a-z_]" . -r --include="*.js"

# Constants should be UPPER_CASE
grep "const [a-z]" . -r --include="*.js" --include="*.ts"

3. Best Practices Review

Error Handling:

# Find bare except clauses (Python)
grep -r "except:" . --include="*.py"

# Find empty catch blocks (JavaScript)
grep -A2 "catch\s*(" . -r --include="*.js" | grep -A1 "{\s*}"

# Find TODO/FIXME comments
grep -r "TODO\|FIXME\|HACK\|XXX" . --include="*.py" --include="*.js" --include="*.java"

Resource Management:

# Find files opened without 'with' statement (Python)
grep -r "open(" . --include="*.py" | grep -v "with"

# Find potential memory leaks
grep -r "addEventListener" . --include="*.js" | grep -v "removeEventListener"

Documentation:

# Find functions without docstrings (Python)
grep -B1 "def " . -r --include="*.py" | grep -v '"""' | grep -v "'''" | grep -v "#"

# Find exported functions without JSDoc (JavaScript)
grep "export function" . -r --include="*.js" | grep -B3 -v "/\*\*"

4. Performance Review

N+1 Query Problems:

# Find potential N+1 queries
grep -r "for.*in\|forEach" . --include="*.py" --include="*.js" -A5 | grep "query\|find\|get"

Inefficient Algorithms:

# Nested loops (potential O(n²))
grep -r "for.*in" . --include="*.py" --include="*.js" -A3 | grep "for.*in"

# Multiple database calls in loops
grep -r "for\|while" . --include="*.py" --include="*.js" -A5 | grep "query\|execute\|find"

Large File Operations:

# Check for files read entirely into memory
grep -r "read()\|readlines()\|readFile" . --include="*.py" --include="*.js"

5. Dependency Review

Outdated Dependencies:

# Check for outdated npm packages
npm outdated

# Check for Python package updates
pip list --outdated

# Security vulnerabilities
npm audit
pip-audit

Unused Imports:

# Python unused imports
grep -r "^import\|^from" . --include="*.py" | cut -d: -f2 | sort | uniq

# JavaScript unused imports
grep -r "^import" . --include="*.js" --include="*.jsx" | cut -d: -f2 | sort | uniq

6. Testing Coverage

Missing Tests:

# Find source files without corresponding test files
for file in src/**/*.py; do
    testfile="tests/test_$(basename $file)"
    [ ! -f "$testfile" ] && echo "Missing test: $testfile for $file"
done

# Find functions without tests
grep "def test_" tests/ -r | cut -d: -f2 | sort

Test Quality:

# Find tests without assertions
grep -r "def test_" . --include="test_*.py" -A10 | grep -v "assert"

# Find disabled tests
grep -r "@skip\|@unittest.skip\|test.skip" . --include="*.py" --include="*.js"

7. Code Review Checklist

When reviewing code, check:

Functionality:

• Does the code do what it's supposed to do?
• Are edge cases handled?
• Is error handling appropriate?

Security:

• No SQL injection vulnerabilities
• No XSS vulnerabilities
• No hardcoded secrets
• Input validation present
• Output encoding applied

Performance:

• No N+1 query problems
• Efficient algorithms used
• Proper indexing on database queries
• No unnecessary loops or operations

Maintainability:

• Code is readable and well-organized
• Proper naming conventions
• Adequate comments and documentation
• Functions are small and focused
• DRY principle followed

Testing:

• Unit tests present
• Tests cover edge cases
• Tests are maintainable
• Good test coverage

Dependencies:

• No unnecessary dependencies
• Dependencies are up to date
• No known vulnerabilities

8. Automated Code Review Tools

Python:

# Linting
pylint src/
flake8 src/
black --check src/

# Security
bandit -r src/
safety check

# Complexity
radon cc src/ -a
radon mi src/

JavaScript:

# Linting
eslint .
prettier --check .

# Security
npm audit
snyk test

# Complexity
npx complexity-report src/

Type Checking:

# Python
mypy src/

# TypeScript
tsc --noEmit

# JavaScript (with JSDoc)
npx typescript --allowJs --checkJs --noEmit src/**/*.js

9. Review Report Format

Provide feedback in this structure:

# Code Review Report

## Summary
- Files reviewed: X
- Critical issues: X
- Warnings: X
- Suggestions: X

## Critical Issues
1. [File:Line] Security: SQL Injection risk in user input
2. [File:Line] Security: Hardcoded API key

## Warnings
1. [File:Line] Performance: N+1 query in loop
2. [File:Line] Code Quality: Function too complex (CC: 15)

## Suggestions
1. [File:Line] Consider extracting method for better readability
2. [File:Line] Add error handling for edge case

## Positive Observations
- Good test coverage
- Well-documented functions
- Proper error handling

10. Common Review Patterns

Python Specific:

# Check for mutable default arguments
grep "def.*=\[\]" . -r --include="*.py"
grep "def.*={}" . -r --include="*.py"

# Check for string concatenation in loops
grep -A5 "for.*in" . -r --include="*.py" | grep "+="

JavaScript Specific:

# Check for var instead of let/const
grep "\svar\s" . -r --include="*.js"

# Check for == instead of ===
grep "==\|!=" . -r --include="*.js" | grep -v "===" | grep -v "!=="

# Check for missing 'use strict'
head -5 src/**/*.js | grep -L "use strict"

When to Use This Skill

Use /code-review when:

• Reviewing pull requests
• Conducting security audits
• Checking code quality before deployment
• Onboarding new code into a project
• Performing pre-commit reviews
• Analyzing legacy code
• Preparing for code refactoring

The skill will analyze code and provide actionable feedback on security, quality, performance, and best practices.