code-review
Code Review
Review code for quality issues, code smells, and pragmatic programming violations.
Repo Sync Before Edits (mandatory)
Before generating any output files, sync with the remote to avoid conflicts:
branch="$(git rev-parse --abbrev-ref HEAD)"
git fetch origin
git pull --rebase origin "$branch"
If the working tree is dirty, stash first, sync, then pop. If origin is missing or conflicts occur, stop and ask the user before continuing.
Note: This skill generates a report file (CODE_REVIEW.md) but does not modify source code, so a feature branch is not required.
Review Modes
Mode 1: PR/Diff Review
# Get changed files
git diff --name-only <base>..HEAD
git diff <base>..HEAD
Focus only on changed lines and their immediate context.
Mode 2: Full Codebase Audit
Scan all source files, prioritizing:
- Entry points (main, index, app)
- Core business logic
- Frequently modified files (
git log --format='%H' | head -100 | xargs -I{} git diff-tree --no-commit-id --name-only -r {} | sort | uniq -c | sort -rn)
Review Checklist
1. Code Smells (Critical)
See references/code-smells.md for full catalog.
Bloaters - Code that grows too large
- Long Method (>20 lines)
- Large Class (>200 lines)
- Long Parameter List (>3 params)
- Primitive Obsession
Object-Orientation Abusers
- Switch Statements (replace with polymorphism)
- Refused Bequest
- Alternative Classes with Different Interfaces
Change Preventers
- Divergent Change (one class, many reasons to change)
- Shotgun Surgery (one change, many classes affected)
- Parallel Inheritance Hierarchies
Dispensables
- Dead Code
- Duplicate Code
- Lazy Class
- Speculative Generality
Couplers
- Feature Envy
- Inappropriate Intimacy
- Message Chains
- Middle Man
2. Pragmatic Programmer Principles
DRY (Don't Repeat Yourself)
- Duplicated logic or knowledge
- Copy-paste code
- Repeated magic values
Orthogonality
- Components that should be independent but aren't
- Changes rippling across unrelated modules
Reversibility
- Hard-coded decisions that should be configurable
- Vendor lock-in without abstraction
Tracer Bullets
- Is the code testable end-to-end?
- Are there integration points?
Good Enough Software
- Over-engineering for unlikely scenarios
- Premature optimization
Broken Windows
- Commented-out code
- TODO/FIXME without tickets
- Inconsistent formatting
3. Security & Safety
- Input validation
- SQL injection risks
- XSS vulnerabilities
- Hardcoded secrets
- Unsafe deserialization
4. Maintainability
- Unclear naming
- Missing or outdated comments
- Complex conditionals
- Deep nesting (>3 levels)
- Missing error handling
Output Format
Generate CODE_REVIEW.md:
# Code Review Report
**Date**: YYYY-MM-DD
**Scope**: [PR #123 | Full Audit]
**Files Reviewed**: N
## Summary
| Severity | Count |
|----------|-------|
| Critical | X |
| Major | X |
| Minor | X |
| Info | X |
## Critical Issues
### [Category]: Issue Title
**File**: `path/to/file.ts:42`
**Smell**: [Code smell name]
Description of the issue.
**Before**:
```language
// problematic code
Suggested Fix:
// improved code
Major Issues
...
Minor Issues
...
Recommendations
- Priority fixes
- Refactoring suggestions
- Architecture improvements
## Severity Levels
| Level | Description | Action |
|-------|-------------|--------|
| **Critical** | Security risks, bugs, data loss potential | Must fix before merge |
| **Major** | Code smells, maintainability blockers | Should fix soon |
| **Minor** | Style, minor improvements | Nice to have |
| **Info** | Suggestions, alternatives | Optional |
## Resources
- [references/code-smells.md](references/code-smells.md) - Complete catalog of code smells with examples
More from montimage/skills
skill-auditor
Analyze agent skills for security risks, malicious patterns, and potential dangers before installation. Use when asked to "audit a skill", "check if a skill is safe", "analyze skill security", "review skill risk", "should I install this skill", "is this skill safe", "scan this skill", or when evaluating any skill directory for trust and safety. Also triggers when the user pastes a skill install command like "npx skills add https://github.com/org/repo --skill name". Produces a comprehensive security report with a clear install/reject verdict. Trigger this skill proactively whenever the user is about to install a third-party skill or mentions concerns about skill safety.
30skill-creator
Create new skills, modify and improve existing skills, and measure skill performance. Use when users want to create a skill from scratch, update or optimize an existing skill, package a skill for distribution, or iterate on skill quality. Trigger this skill whenever the user says "create a skill", "build a skill", "make a skill for X", "update this skill", "improve this skill", "package this skill", or mentions wanting to extend Claude's capabilities with specialized workflows or tools.
9oss-ready
Transform projects into professional open-source repositories with standard components. Use when users ask to "make this open source", "add open source files", "setup OSS standards", "create contributing guide", "add license", "prepare for public release", "add CODE_OF_CONDUCT", "add SECURITY.md", "GitHub templates", or want to prepare a project for public release with README, CONTRIBUTING, LICENSE, and GitHub templates. Trigger this skill whenever the user mentions open-sourcing, public repos, community standards, or making a project contribution-ready — even if they just say "let's open source this".
7test-coverage
Expand unit test coverage by targeting untested branches and edge cases. Use when users ask to "increase test coverage", "add more tests", "expand unit tests", "cover edge cases", "improve test coverage", "find untested code", "what's not tested", "run coverage report", "write missing tests", or want to identify and fill gaps in existing test suites. Adapts to project's testing framework. Trigger this skill whenever the user mentions test gaps, untested code, coverage percentages, or wants to harden their test suite.
7devops-pipeline
Implement pre-commit hooks and GitHub Actions for quality assurance. Use when asked to "setup CI/CD", "add pre-commit hooks", "create GitHub Actions", "setup quality gates", "automate testing", "add linting to CI", "setup code quality checks", "configure CI pipeline", "add automated checks", or any DevOps automation for code quality. Detects project type and configures appropriate tools. Trigger this skill whenever the user mentions CI, CD, pre-commit, GitHub Actions, linting automation, or quality gates — even if they don't use those exact terms.
7docs-generator
Restructure project documentation for clarity and accessibility. Use when users ask to "organize docs", "generate documentation", "improve doc structure", "restructure README", "write docs", "create README", "document my code", "add API docs", "document this project", "help with documentation", or need to reorganize scattered documentation into a coherent structure. Analyzes project type and creates appropriate documentation hierarchy. Trigger this skill whenever the user needs documentation created, reorganized, or improved — even if they just say something like "this project needs docs" or "the README is a mess".
5