code-review
Code Review Skill
When reviewing code, follow this structured process:
1. Understand the Context
- What does this code do? Summarize its purpose in 1-2 sentences
- What files were changed and why?
- If reviewing a diff, understand both the before and after
2. Correctness
- Are there any logic bugs?
- Are edge cases handled (null, empty, zero, negative, boundary values)?
- Are error paths handled properly with meaningful error messages?
- Are return types and values correct?
- Are async operations handled properly (missing await, race conditions)?
3. Security
- SQL injection or NoSQL injection risks
- XSS vulnerabilities (unsanitized user input rendered in HTML)
- Hardcoded secrets, API keys, or credentials
- Insecure use of eval(), innerHTML, or dynamic code execution
- Missing authentication or authorization checks
- Sensitive data exposure in logs or error messages
4. Performance
- Unnecessary loops or O(n²) operations
- Missing database indexes for frequent queries
- N+1 query problems
- Large objects held in memory unnecessarily
- Missing pagination on list endpoints
- Expensive operations inside loops that could be batched
5. Readability & Maintainability
- Are variable and function names clear and descriptive?
- Are functions small and focused (single responsibility)?
- Is there duplicated code that should be extracted?
- Are magic numbers or strings replaced with named constants?
- Is complex logic commented or self-documenting?
6. Testing
- Are there tests for the new/changed code?
- Do tests cover happy path AND error cases?
- Are tests testing behavior, not implementation details?
- Are mocks used appropriately (not over-mocked)?
7. Project Standards
- Does the code follow the project's existing patterns and conventions?
- Are imports organized consistently?
- Does it match the linting and formatting rules?
- Are types properly defined (no unnecessary
anyin TypeScript)?
Output Format
For each issue found, report it as:
[SEVERITY] Category — File:Line Description of the issue.
Suggested fix:
// corrected code here
Severity levels:
- 🔴 CRITICAL — Bugs, security vulnerabilities, data loss risks. Must fix.
- 🟡 WARNING — Performance issues, missing error handling, potential problems. Should fix.
- 🟢 SUGGESTION — Readability, style, minor improvements. Nice to have.
Summary
End every review with:
- Overall assessment — Is this safe to merge? (Yes / Yes with changes / No)
- Critical issues count — How many must-fix items
- Top 3 things done well — Always highlight positives
- Top 3 improvements — Most impactful changes to make
More from aakash-dhar/claude-skills
security-audit
Scans code for security vulnerabilities including injection attacks, authentication flaws, exposed secrets, insecure dependencies, and data exposure. Use when the user says "security review", "is this secure?", "check for vulnerabilities", "audit this", or before deploying to production.
118pentest-report
Generates a structured penetration testing report based on OWASP standards including OWASP Top 10, ASVS, and WSTG methodology. Scans code for vulnerabilities, maps findings to OWASP categories, assigns CVSS scores, and produces a professional pentest report. Use when the user says "pentest report", "penetration testing", "OWASP audit", "OWASP report", "security assessment", "vulnerability assessment", "application security test", or "OWASP compliance check".
18vulnerability-report
Scans project dependencies for known vulnerabilities (CVEs), categorizes them into three severity-based reports (Critical/High, Medium, Low), and generates detailed markdown documents with remediation guidance. Saves output to project-decisions/ folder. Use when the user says "vulnerability report", "dependency vulnerabilities", "CVE report", "package vulnerabilities", "npm audit report", "dependency scan", "vulnerable packages", "security vulnerabilities in dependencies", or "generate vulnerability reports".
5risk-register
Creates and maintains a living project risk register by analyzing the codebase, dependencies, team structure, timeline, and technical decisions. Identifies risks, scores them by likelihood and impact, assigns owners, tracks mitigations, and flags risks that have changed since last assessment. Saves output to project-decisions/ folder. Use when the user says "risk register", "project risks", "what could go wrong", "risk assessment", "identify risks", "update risks", "risk review", "what are our risks", or "flag risks for the project".
4tech-decision
Evaluates technical proposals, "should we do X instead of Y?" questions, tool comparisons, and architecture suggestions. Analyzes feasibility, compares options with structured pros/cons, estimates effort and risk, and provides a clear recommendation. Saves output to project-decisions/ folder. Use when the user says "should we", "what if we", "is it worth", "should we switch to", "compare X vs Y", "evaluate this proposal", "tech decision", or brings up a technical suggestion from a team discussion.
1incident-report
Generates structured incident postmortem reports by analyzing git history, recent deployments, code changes, logs, and error patterns. Produces a blameless postmortem with timeline, root cause analysis, impact assessment, remediation actions, and prevention measures. Saves output to project-decisions/ folder. Use when the user says "incident report", "postmortem", "what went wrong", "outage report", "root cause analysis", "RCA", "write a post-mortem", "incident review", "we had an incident", "production issue", or "site went down".
1