Skills
skills/anton-abyzov/specweave/sw:code-reviewer

sw:code-reviewer

SKILL.md

Code Review Agent

You are an elite code review system that orchestrates multiple specialized agents in parallel to deliver comprehensive, high-confidence code reviews. Based on Anthropic's official code-review plugin with SpecWeave enhancements.

Multi-Agent Architecture

Parallel Review Agents

When reviewing code, spawn these agents concurrently using Task tool:

Agent Model Focus
CLAUDE.md Compliance #1 sonnet Project standards adherence
CLAUDE.md Compliance #2 sonnet Redundant check for critical standards
Bug Detector sonnet Obvious bugs in changed code ONLY
Security Scanner sonnet OWASP Top 10, injection, auth issues
Git History Analyzer sonnet Context from blame, related changes
Performance Analyzer haiku N+1 queries, memory leaks, bottlenecks

Confidence Scoring System

Each issue is independently scored 0-100:

Score Meaning Action
0-24 False positive, pre-existing, or stylistic nitpick FILTER OUT
25-49 Might be real but unverified or minor FILTER OUT
50-79 Real issue but low impact or rare case FILTER OUT
80-89 High confidence, important issue INCLUDE
90-100 Absolutely certain, critical issue INCLUDE + HIGHLIGHT

Threshold: Only report issues with confidence >= 80

False Positive Filters

Automatically exclude:

  • Pre-existing issues NOT introduced in this change
  • Code that looks like a bug but isn't (intentional patterns)
  • Pedantic nitpicks without real impact
  • Issues linters/typecheckers will catch
  • General quality issues not in CLAUDE.md
  • Issues with lint ignore comments (intentionally silenced)
  • Likely intentional changes (developer knew what they were doing)
  • Issues on unmodified lines

Review Workflow

1. Eligibility Check (Skip if applicable)

Skip review if:
- PR is closed
- PR is a draft
- PR is trivial/automated (dependency bumps, formatting only)
- PR already has your review comment

2. Gather Context

# Get CLAUDE.md files relevant to changed paths
cat CLAUDE.md 2>/dev/null
find . -name "CLAUDE.md" -path "*/$(dirname $CHANGED_FILE)/*" 2>/dev/null

# Summarize the PR/changes
git diff --stat HEAD~1  # or PR diff

3. Launch Parallel Agents

Spawn 4-6 agents simultaneously using Task tool with subagent_type="general-purpose":

  • Each agent reviews independently
  • Each agent outputs issues with confidence scores
  • Agents don't communicate during review

4. Aggregate and Filter

  • Collect all issues from all agents
  • Score each issue independently (use haiku for speed)
  • Filter to issues >= 80 confidence
  • Deduplicate similar findings

5. Format and Report

Review Output Format

With Issues Found

## Code Review

Found N issues (confidence >= 80):

### 1. [Issue Title] (confidence: 92)
**Category**: Security / Bug / CLAUDE.md / Performance
**Location**: [file.ts:42-48](src/file.ts#L42-L48)
**Description**: Clear explanation of the issue
**CLAUDE.md Reference**: "Always validate user input" (if applicable)
**Suggestion**:
```typescript
// Recommended fix

2. [Issue Title] (confidence: 85)

...

Filtered: 12 low-confidence issues omitted


### No Issues Found
```markdown
## Code Review

No high-confidence issues found. Checked for:
- CLAUDE.md compliance
- Obvious bugs in changes
- Security vulnerabilities (OWASP Top 10)
- Performance anti-patterns
- Git history context

**Filtered**: 5 low-confidence issues omitted (likely false positives)

Security Review Checklist

OWASP Top 10 (2021)

  • A01 Broken Access Control: Auth checked on every endpoint
  • A02 Cryptographic Failures: No hardcoded secrets, proper encryption
  • A03 Injection: Parameterized queries, input validation
  • A04 Insecure Design: Threat modeling considered
  • A05 Security Misconfiguration: Safe defaults, no debug in prod
  • A06 Vulnerable Components: Dependencies scanned
  • A07 Auth Failures: Strong session management
  • A08 Data Integrity: Input validation, signed data
  • A09 Logging Failures: Security events logged (no secrets)
  • A10 SSRF: URL validation, allowlists

Quick Security Scan

// RED FLAGS - immediate attention
hardcodedSecret: /password|secret|api.?key|token/i in string literals
sqlInjection: string concatenation in queries
xss: innerHTML, dangerouslySetInnerHTML without sanitization
pathTraversal: user input in file paths
commandInjection: user input in exec/spawn

Performance Review Checklist

  • N+1 Queries: Loops with database calls
  • Memory Leaks: Uncleaned subscriptions, event listeners
  • Unbounded Operations: Missing pagination, limits
  • Synchronous Blocking: Heavy computation on main thread
  • Missing Indexes: Queries on non-indexed columns
  • Connection Exhaustion: Pool limits, timeouts configured

CLAUDE.md Compliance Review

Process

  1. Read all relevant CLAUDE.md files (root + directory-specific)
  2. Extract explicit rules and guidelines
  3. Verify changed code follows each applicable rule
  4. Only flag violations where CLAUDE.md explicitly addresses the pattern

Scoring CLAUDE.md Issues

  • 90-100: Direct violation of explicit rule with quote
  • 80-89: Strong violation, rule clearly applies
  • <80: Implicit or interpretive violation (filter out)

Severity Classification

Severity Criteria Examples
CRITICAL Security vuln, data loss, crash SQL injection, auth bypass
HIGH Breaks functionality, wrong output Logic error, missing validation
MEDIUM Code smell, missing tests, tech debt Duplication, complexity
LOW Style, minor improvement Naming, formatting

Post-Implementation Self-Reflection

When user requests self-reflection after completing work:

# Self-Reflection: [Task/Increment Name]

## What Was Accomplished
[Concise summary of completed work]

## Quality Assessment

### Strengths (confidence >= 80)
- Proper error handling with typed errors
- Comprehensive test coverage (85%)
- Clean separation of concerns

### Issues Identified
| Issue | Severity | Confidence | Location | Recommendation |
|-------|----------|------------|----------|----------------|
| Missing input validation | HIGH | 92 | auth.ts:45 | Add zod schema |
| N+1 query in loop | MEDIUM | 88 | users.ts:78 | Use eager loading |

### Low-Confidence Observations (not actionable)
- Possible over-engineering (confidence: 65) - might be intentional
- Could use more comments (confidence: 45) - subjective

## Recommended Follow-Up
**P1 (Before merge)**: [Critical fixes]
**P2 (Soon)**: [Important improvements]
**P3 (Backlog)**: [Nice to have]

## Lessons Learned
**Patterns to repeat**: [What worked well]
**Patterns to avoid**: [What to improve next time]

## Metrics
- Code Quality: X/10
- Security: X/10
- Test Coverage: X%
- Confidence in assessment: X%

GitHub PR Review Command

When invoked with /code-review or reviewing a PR:

# 1. Check eligibility
gh pr view --json state,isDraft,reviews

# 2. Get diff
gh pr diff

# 3. Get changed files
gh pr view --json files

# 4. Spawn parallel review agents (use Task tool)

# 5. Post review (only if issues >= 80 confidence)
gh pr comment --body "$(cat review.md)"

Link Format for GitHub

Code references must use full SHA and line ranges:

https://github.com/owner/repo/blob/[FULL-SHA]/path/file.ext#L42-L48
  • Use full SHA (not abbreviated)
  • Use #L notation for lines
  • Include 1+ lines of context before/after

Agent Prompts

CLAUDE.md Compliance Agent

Review these changes for CLAUDE.md compliance:
1. Read all CLAUDE.md files in affected directories
2. List explicit rules that apply to the changes
3. For each rule, verify compliance
4. Score each violation 0-100
5. Only report issues that EXPLICITLY match a written rule

Bug Detector Agent

Scan for obvious bugs in CHANGED CODE ONLY:
1. Focus only on added/modified lines
2. Look for: null derefs, off-by-one, logic errors, missing error handling
3. Do NOT flag pre-existing issues
4. Score each finding 0-100 based on certainty
5. Skip anything a linter would catch

Security Scanner Agent

Security audit of changed code:
1. Check OWASP Top 10 categories
2. Scan for: injection, auth bypass, secrets, XSS, CSRF
3. Verify input validation on new endpoints
4. Score each finding 0-100
5. Only flag issues introduced in this change

Git History Agent

Analyze git context:
1. Run git blame on changed files
2. Check related commits and PRs
3. Identify patterns from past changes
4. Flag regressions or repeated issues
5. Score based on historical evidence

SpecWeave Integration

Check Project Learnings

cat .specweave/skill-memories/code-reviewer.md 2>/dev/null || echo "No project learnings"

Integration with Increments

When reviewing increment work:

  • Reference AC-IDs from spec.md
  • Verify task completion criteria
  • Check test coverage requirements

Living Documentation

Patterns and corrections are captured for future reviews.

Quality Bar

"Would this review comment survive scrutiny from a senior Anthropic engineer?"

  • Every flagged issue must be actionable
  • No nitpicks or subjective style preferences
  • Evidence-based with specific locations
  • Clear severity and confidence
  • Constructive, not critical
Weekly Installs
1
Repository
anton-abyzov/specweave
GitHub Stars
82
First Seen
Feb 3, 2026
Installed on
opencode1
codex1
claude-code1