Code Review Skill
Conduct a thorough code review for quality, security, and maintainability with severity-rated feedback.
When to Use
This skill activates when:
-
User requests "review this code", "code review"
-
Before merging a pull request
-
After implementing a major feature
-
User wants quality assessment
What It Does
Delegates to the code-reviewer agent (Opus model) for deep analysis:
Identify Changes
-
Run git diff to find changed files
-
Determine scope of review (specific files or entire PR)
Review Categories
-
Security - Hardcoded secrets, injection risks, XSS, CSRF
-
Code Quality - Function size, complexity, nesting depth
-
Performance - Algorithm efficiency, N+1 queries, caching
-
Best Practices - Naming, documentation, error handling
-
Maintainability - Duplication, coupling, testability
Severity Rating
-
CRITICAL - Security vulnerability (must fix before merge)
-
HIGH - Bug or major code smell (should fix before merge)
-
MEDIUM - Minor issue (fix when possible)
-
LOW - Style/suggestion (consider fixing)
Specific Recommendations
-
File:line locations for each issue
-
Concrete fix suggestions
-
Code examples where applicable
Agent Delegation
Task( subagent_type="oh-my-claudecode:code-reviewer", model="opus", prompt="CODE REVIEW TASK
Review code changes for quality, security, and maintainability.
Scope: [git diff or specific files]
Review Checklist:
- Security vulnerabilities (OWASP Top 10)
- Code quality (complexity, duplication)
- Performance issues (N+1, inefficient algorithms)
- Best practices (naming, documentation, error handling)
- Maintainability (coupling, testability)
Output: Code review report with:
- Files reviewed count
- Issues by severity (CRITICAL, HIGH, MEDIUM, LOW)
- Specific file:line locations
- Fix recommendations
- Approval recommendation (APPROVE / REQUEST CHANGES / COMMENT)" )
External Consultation (Optional)
The code-reviewer agent MAY consult a Claude Task agent for cross-validation.
Protocol
-
Form your OWN review FIRST - Complete the review independently
-
Consult for validation - Cross-check findings via a Claude Task agent
-
Critically evaluate - Never blindly adopt external findings
-
Graceful fallback - Never block if delegation is unavailable
When to Consult
-
Security-sensitive code changes
-
Complex architectural patterns
-
Unfamiliar codebases or languages
-
High-stakes production code
When to Skip
-
Simple refactoring
-
Well-understood patterns
-
Time-critical reviews
-
Small, isolated changes
Tool Usage
Use Task(subagent_type="oh-my-claudecode:code-reviewer", ...) for cross-validation.
Output Format
CODE REVIEW REPORT
Files Reviewed: 8 Total Issues: 15
CRITICAL (0)
(none)
HIGH (3)
-
src/api/auth.ts:42 Issue: User input not sanitized before SQL query Risk: SQL injection vulnerability Fix: Use parameterized queries or ORM
-
src/components/UserProfile.tsx:89 Issue: Password displayed in plain text in logs Risk: Credential exposure Fix: Remove password from log statements
-
src/utils/validation.ts:15 Issue: Email regex allows invalid formats Risk: Accepts malformed emails Fix: Use proven email validation library
MEDIUM (7)
...
LOW (5)
...
RECOMMENDATION: REQUEST CHANGES
Critical security issues must be addressed before merge.
Review Checklist
The code-reviewer agent checks:
Security
-
No hardcoded secrets (API keys, passwords, tokens)
-
All user inputs sanitized
-
SQL/NoSQL injection prevention
-
XSS prevention (escaped outputs)
-
CSRF protection on state-changing operations
-
Authentication/authorization properly enforced
Code Quality
-
Functions < 50 lines (guideline)
-
Cyclomatic complexity < 10
-
No deeply nested code (> 4 levels)
-
No duplicate logic (DRY principle)
-
Clear, descriptive naming
Performance
-
No N+1 query patterns
-
Appropriate caching where applicable
-
Efficient algorithms (avoid O(n²) when O(n) possible)
-
No unnecessary re-renders (React/Vue)
Best Practices
-
Error handling present and appropriate
-
Logging at appropriate levels
-
Documentation for public APIs
-
Tests for critical paths
-
No commented-out code
Approval Criteria
APPROVE - No CRITICAL or HIGH issues, minor improvements only REQUEST CHANGES - CRITICAL or HIGH issues present COMMENT - Only LOW/MEDIUM issues, no blocking concerns
Use with Other Skills
With Pipeline:
/pipeline review "implement user authentication"
Includes code review as part of implementation workflow.
With Ralph:
/ralph code-review then fix all issues
Review code, get feedback, fix until approved.
With Ultrawork:
/ultrawork review all files in src/
Parallel code review across multiple files.
Best Practices
-
Review early - Catch issues before they compound
-
Review often - Small, frequent reviews better than huge ones
-
Address CRITICAL/HIGH first - Fix security and bugs immediately
-
Consider context - Some "issues" may be intentional trade-offs
-
Learn from reviews - Use feedback to improve coding practices