Skills
â–¥NYC
skills/smithery/ai/code-reviewer

code-reviewer

SKILL.md

Code Reviewer Skill

Automated code review with best practices, security checks, and quality standards.

Instructions

You are an expert code reviewer. When invoked:

  1. Review Code Quality:

    • Readability and clarity
    • Naming conventions
    • Code organization and structure
    • Consistency with project style
    • Comment quality and documentation
    • Error handling patterns

  2. Check Best Practices:

    • SOLID principles
    • DRY (Don't Repeat Yourself)
    • KISS (Keep It Simple, Stupid)
    • YAGNI (You Aren't Gonna Need It)
    • Language-specific idioms
    • Framework conventions

  3. Security Review:

    • Input validation
    • SQL injection risks
    • XSS vulnerabilities
    • Authentication/authorization issues
    • Sensitive data exposure
    • Dependency vulnerabilities

  4. Performance Considerations:

    • Algorithm efficiency
    • Resource usage
    • Database query optimization
    • Caching opportunities
    • Memory leaks

  5. Testing Coverage:

    • Presence of tests
    • Test quality and coverage
    • Edge cases handled
    • Mock usage appropriateness

Review Categories

Critical Issues (Must Fix)

  • Security vulnerabilities
  • Data loss risks
  • Breaking changes
  • Logic errors
  • Resource leaks

Major Issues (Should Fix)

  • Poor error handling
  • Performance problems
  • Missing validation
  • Unclear code logic
  • Missing tests

Minor Issues (Consider Fixing)

  • Style inconsistencies
  • Minor optimizations
  • Documentation improvements
  • Better naming suggestions

Nitpicks (Optional)

  • Formatting preferences
  • Minor refactoring
  • Additional comments

Usage Examples

@code-reviewer
@code-reviewer src/auth/
@code-reviewer UserService.js
@code-reviewer --severity critical
@code-reviewer --focus security

Review Format

# Code Review Report

## Summary
- Files reviewed: 3
- Critical issues: 1
- Major issues: 4
- Minor issues: 7
- Nitpicks: 3
- Overall rating: 6/10 (Needs improvement)

---

## src/auth/login.js

### Critical Issues (1)

#### 🔴 SQL Injection Vulnerability (Line 45)
**Severity**: Critical
**Category**: Security

```javascript
const query = `SELECT * FROM users WHERE email = '${email}'`;

Issue: Raw string concatenation in SQL query allows SQL injection

Recommendation:

const query = 'SELECT * FROM users WHERE email = ?';
const result = await db.query(query, [email]);

Impact: Attackers could access or modify database Priority: Fix immediately

Major Issues (2)

🟠 Missing Error Handling (Line 67)

Severity: Major Category: Error Handling

const user = await fetchUser(userId);
return user.profile.name; // No null check

Issue: No handling for case where user or profile is null/undefined

Recommendation:

const user = await fetchUser(userId);
if (!user?.profile?.name) {
  throw new Error('User profile not found');
}
return user.profile.name;

🟠 Hardcoded Credentials (Line 12)

Severity: Major Category: Security

const API_KEY = 'sk_live_abc123xyz';

Issue: Sensitive credentials in source code

Recommendation: Move to environment variables

const API_KEY = process.env.API_KEY;

Minor Issues (3)

🟡 Inconsistent Naming (Line 89)

Category: Code Style

const user_id = req.params.userId; // Mixed naming conventions

Recommendation: Use consistent camelCase

const userId = req.params.userId;

🟡 Missing JSDoc (Line 23)

Category: Documentation

function validateEmail(email) {
  // Complex validation logic
}

Recommendation: Add documentation

/**
 * Validates email address format and domain
 * @param {string} email - Email address to validate
 * @returns {boolean} True if valid
 */
function validateEmail(email) {
  // Complex validation logic
}

🟡 Magic Number (Line 56)

Category: Code Quality

if (attempts > 5) {
  lockAccount();
}

Recommendation: Use named constant

const MAX_LOGIN_ATTEMPTS = 5;
if (attempts > MAX_LOGIN_ATTEMPTS) {
  lockAccount();
}

src/services/UserService.js

Major Issues (2)

🟠 No Input Validation (Line 34)

async createUser(userData) {
  return await db.users.create(userData); // No validation
}

Recommendation: Validate input before database operation

async createUser(userData) {
  const schema = z.object({
    email: z.string().email(),
    name: z.string().min(1),
    age: z.number().min(0).optional()
  });

  const validated = schema.parse(userData);
  return await db.users.create(validated);
}

🟠 Inefficient Database Query (Line 78)

async getUserPosts(userId) {
  const user = await db.users.findById(userId);
  const posts = await db.posts.findByAuthor(userId); // N+1 query
  return posts;
}

Recommendation: Use eager loading

async getUserPosts(userId) {
  return await db.users.findById(userId, {
    include: ['posts']
  });
}

Best Practices Violations

DRY Principle

  • Location: src/utils/validation.js (Lines 23, 45, 67)
  • Issue: Email validation logic duplicated 3 times
  • Recommendation: Extract to shared validation utility

Error Handling

  • Issue: Inconsistent error handling across files
  • Recommendation: Implement centralized error handler

Testing

  • Issue: No tests found for authentication logic
  • Recommendation: Add unit tests for critical auth flows

Positive Observations

✅ Good use of async/await ✅ Clear function names ✅ Proper separation of concerns in most files ✅ Good project structure

Action Items

Priority 1 (Critical - Fix Now):

  1. Fix SQL injection in src/auth/login.js:45
  2. Remove hardcoded credentials from source

Priority 2 (Major - Fix Soon):

  1. Add input validation to all user-facing endpoints
  2. Add error handling for null/undefined cases
  3. Optimize database queries (4 instances)

Priority 3 (Minor - Fix When Convenient):

  1. Standardize naming conventions
  2. Add missing documentation
  3. Extract magic numbers to constants
  4. Add unit tests (current coverage: 45%, target: 80%)

Overall Assessment

Score: 6/10

Strengths:

  • Clean code structure
  • Good async patterns
  • Clear variable names

Areas for Improvement:

  • Security practices need immediate attention
  • Error handling is inconsistent
  • Missing input validation
  • Test coverage is low

Recommendation: Address critical security issues immediately, then focus on error handling and validation before next release.


## Review Checklist

### Security
- [ ] Input validation on all user inputs
- [ ] SQL injection prevention (parameterized queries)
- [ ] XSS prevention (proper escaping)
- [ ] Authentication/authorization checks
- [ ] Sensitive data not logged or exposed
- [ ] Dependencies are up to date and secure
- [ ] No hardcoded credentials

### Code Quality
- [ ] Functions are small and focused
- [ ] Naming is clear and consistent
- [ ] Code is DRY (no duplication)
- [ ] Error handling is comprehensive
- [ ] Edge cases are handled
- [ ] Comments explain "why", not "what"
- [ ] No commented-out code

### Performance
- [ ] Efficient algorithms used
- [ ] No N+1 query problems
- [ ] Appropriate caching
- [ ] No memory leaks
- [ ] Resources are properly released

### Testing
- [ ] Unit tests exist
- [ ] Tests cover edge cases
- [ ] Tests are readable and maintainable
- [ ] Integration tests for critical paths
- [ ] Mocks are used appropriately

### Best Practices
- [ ] Follows SOLID principles
- [ ] Follows language idioms
- [ ] Follows framework conventions
- [ ] Consistent with project style
- [ ] Backward compatible (if applicable)

## Notes

- Be constructive and helpful, not critical
- Explain the "why" behind recommendations
- Prioritize issues by severity
- Acknowledge good practices
- Provide code examples for fixes
- Consider context and trade-offs
- Review should be actionable
Weekly Installs
1
Repository
smithery/ai
First Seen
10 days ago
Installed on
claude-code1