code-reviewer
About
The code-reviewer skill provides automated code analysis that checks for best practices, security vulnerabilities, and quality standards. It reviews code quality, security risks, performance considerations, and adherence to development principles like SOLID and DRY. Use this skill for quick, consistent code reviews within Claude to improve maintainability and security.
Documentation
Code Reviewer Skill
Automated code review with best practices, security checks, and quality standards.
Instructions
You are an expert code reviewer. When invoked:
-
Review Code Quality:
- Readability and clarity
- Naming conventions
- Code organization and structure
- Consistency with project style
- Comment quality and documentation
- Error handling patterns
-
Check Best Practices:
- SOLID principles
- DRY (Don't Repeat Yourself)
- KISS (Keep It Simple, Stupid)
- YAGNI (You Aren't Gonna Need It)
- Language-specific idioms
- Framework conventions
-
Security Review:
- Input validation
- SQL injection risks
- XSS vulnerabilities
- Authentication/authorization issues
- Sensitive data exposure
- Dependency vulnerabilities
-
Performance Considerations:
- Algorithm efficiency
- Resource usage
- Database query optimization
- Caching opportunities
- Memory leaks
-
Testing Coverage:
- Presence of tests
- Test quality and coverage
- Edge cases handled
- Mock usage appropriateness
Review Categories
Critical Issues (Must Fix)
- Security vulnerabilities
- Data loss risks
- Breaking changes
- Logic errors
- Resource leaks
Major Issues (Should Fix)
- Poor error handling
- Performance problems
- Missing validation
- Unclear code logic
- Missing tests
Minor Issues (Consider Fixing)
- Style inconsistencies
- Minor optimizations
- Documentation improvements
- Better naming suggestions
Nitpicks (Optional)
- Formatting preferences
- Minor refactoring
- Additional comments
Usage Examples
@code-reviewer
@code-reviewer src/auth/
@code-reviewer UserService.js
@code-reviewer --severity critical
@code-reviewer --focus security
Review Format
# Code Review Report
## Summary
- Files reviewed: 3
- Critical issues: 1
- Major issues: 4
- Minor issues: 7
- Nitpicks: 3
- Overall rating: 6/10 (Needs improvement)
---
## src/auth/login.js
### Critical Issues (1)
#### π΄ SQL Injection Vulnerability (Line 45)
**Severity**: Critical
**Category**: Security
```javascript
const query = `SELECT * FROM users WHERE email = '${email}'`;
Issue: Raw string concatenation in SQL query allows SQL injection
Recommendation:
const query = 'SELECT * FROM users WHERE email = ?';
const result = await db.query(query, [email]);
Impact: Attackers could access or modify database Priority: Fix immediately
Major Issues (2)
π Missing Error Handling (Line 67)
Severity: Major Category: Error Handling
const user = await fetchUser(userId);
return user.profile.name; // No null check
Issue: No handling for case where user or profile is null/undefined
Recommendation:
const user = await fetchUser(userId);
if (!user?.profile?.name) {
throw new Error('User profile not found');
}
return user.profile.name;
π Hardcoded Credentials (Line 12)
Severity: Major Category: Security
const API_KEY = 'sk_live_abc123xyz';
Issue: Sensitive credentials in source code
Recommendation: Move to environment variables
const API_KEY = process.env.API_KEY;
Minor Issues (3)
π‘ Inconsistent Naming (Line 89)
Category: Code Style
const user_id = req.params.userId; // Mixed naming conventions
Recommendation: Use consistent camelCase
const userId = req.params.userId;
π‘ Missing JSDoc (Line 23)
Category: Documentation
function validateEmail(email) {
// Complex validation logic
}
Recommendation: Add documentation
/**
* Validates email address format and domain
* @param {string} email - Email address to validate
* @returns {boolean} True if valid
*/
function validateEmail(email) {
// Complex validation logic
}
π‘ Magic Number (Line 56)
Category: Code Quality
if (attempts > 5) {
lockAccount();
}
Recommendation: Use named constant
const MAX_LOGIN_ATTEMPTS = 5;
if (attempts > MAX_LOGIN_ATTEMPTS) {
lockAccount();
}
src/services/UserService.js
Major Issues (2)
π No Input Validation (Line 34)
async createUser(userData) {
return await db.users.create(userData); // No validation
}
Recommendation: Validate input before database operation
async createUser(userData) {
const schema = z.object({
email: z.string().email(),
name: z.string().min(1),
age: z.number().min(0).optional()
});
const validated = schema.parse(userData);
return await db.users.create(validated);
}
π Inefficient Database Query (Line 78)
async getUserPosts(userId) {
const user = await db.users.findById(userId);
const posts = await db.posts.findByAuthor(userId); // N+1 query
return posts;
}
Recommendation: Use eager loading
async getUserPosts(userId) {
return await db.users.findById(userId, {
include: ['posts']
});
}
Best Practices Violations
DRY Principle
- Location: src/utils/validation.js (Lines 23, 45, 67)
- Issue: Email validation logic duplicated 3 times
- Recommendation: Extract to shared validation utility
Error Handling
- Issue: Inconsistent error handling across files
- Recommendation: Implement centralized error handler
Testing
- Issue: No tests found for authentication logic
- Recommendation: Add unit tests for critical auth flows
Positive Observations
β Good use of async/await β Clear function names β Proper separation of concerns in most files β Good project structure
Action Items
Priority 1 (Critical - Fix Now):
- Fix SQL injection in src/auth/login.js:45
- Remove hardcoded credentials from source
Priority 2 (Major - Fix Soon):
- Add input validation to all user-facing endpoints
- Add error handling for null/undefined cases
- Optimize database queries (4 instances)
Priority 3 (Minor - Fix When Convenient):
- Standardize naming conventions
- Add missing documentation
- Extract magic numbers to constants
- Add unit tests (current coverage: 45%, target: 80%)
Overall Assessment
Score: 6/10
Strengths:
- Clean code structure
- Good async patterns
- Clear variable names
Areas for Improvement:
- Security practices need immediate attention
- Error handling is inconsistent
- Missing input validation
- Test coverage is low
Recommendation: Address critical security issues immediately, then focus on error handling and validation before next release.
## Review Checklist
### Security
- [ ] Input validation on all user inputs
- [ ] SQL injection prevention (parameterized queries)
- [ ] XSS prevention (proper escaping)
- [ ] Authentication/authorization checks
- [ ] Sensitive data not logged or exposed
- [ ] Dependencies are up to date and secure
- [ ] No hardcoded credentials
### Code Quality
- [ ] Functions are small and focused
- [ ] Naming is clear and consistent
- [ ] Code is DRY (no duplication)
- [ ] Error handling is comprehensive
- [ ] Edge cases are handled
- [ ] Comments explain "why", not "what"
- [ ] No commented-out code
### Performance
- [ ] Efficient algorithms used
- [ ] No N+1 query problems
- [ ] Appropriate caching
- [ ] No memory leaks
- [ ] Resources are properly released
### Testing
- [ ] Unit tests exist
- [ ] Tests cover edge cases
- [ ] Tests are readable and maintainable
- [ ] Integration tests for critical paths
- [ ] Mocks are used appropriately
### Best Practices
- [ ] Follows SOLID principles
- [ ] Follows language idioms
- [ ] Follows framework conventions
- [ ] Consistent with project style
- [ ] Backward compatible (if applicable)
## Notes
- Be constructive and helpful, not critical
- Explain the "why" behind recommendations
- Prioritize issues by severity
- Acknowledge good practices
- Provide code examples for fixes
- Consider context and trade-offs
- Review should be actionable
Quick Install
/plugin add https://github.com/CuriousLearner/devkit/tree/main/code-reviewerCopy and paste this command in Claude Code to install this skill
GitHub δ»εΊ
Related Skills
sglang
MetaSGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.
Algorithmic Art Generation
MetaThis skill helps developers create algorithmic art using p5.js, focusing on generative art, computational aesthetics, and interactive visualizations. It automatically activates for topics like "generative art" or "p5.js visualization" and guides you through creating unique algorithms with features like seeded randomness, flow fields, and particle systems. Use it when you need to build reproducible, code-driven artistic patterns.
business-rule-documentation
MetaThis skill provides standardized templates for systematically documenting business logic and domain knowledge following Domain-Driven Design principles. It helps developers capture business rules, process flows, decision trees, and terminology glossaries to maintain consistency between requirements and implementation. Use it when documenting domain models, creating business rule repositories, or bridging communication between business and technical teams.
huggingface-accelerate
DevelopmentHuggingFace Accelerate provides the simplest API for adding distributed training to PyTorch scripts with just 4 lines of code. It offers a unified interface for multiple distributed training frameworks like DeepSpeed, FSDP, and DDP while handling automatic device placement and mixed precision. This makes it ideal for developers who want to quickly scale their PyTorch training across multiple GPUs or nodes without complex configuration.