code-review

shareAI-lab's avatarfrom shareAI-lab

Perform thorough code reviews with security, performance, and maintainability analysis. Use when user asks to review code, check for bugs, or audit a codebase.

11.9kstars🔀3.1kforks📁View on GitHub🕐Updated Dec 30, 2025
[Code Review]

When & Why to Use This Skill

This Claude skill automates comprehensive code reviews by analyzing security vulnerabilities, performance bottlenecks, and maintainability issues. It provides structured feedback including critical issue identification, suggested fixes, and adherence to best practices across multiple programming languages like Python, JavaScript, and TypeScript to ensure high-quality software development and robust security standards.

Use Cases

  • 1. Pull Request Auditing: Automatically scan new code changes for security flaws like SQL injection or XSS before merging into production branches.
  • 2. Technical Debt Reduction: Identify complex functions, duplicated code, and naming inconsistencies to improve long-term codebase maintainability and readability.
  • 3. Performance Tuning: Detect inefficient algorithms, N+1 database queries, and memory leaks in existing software components to optimize resource usage.
  • 4. Bug Prevention: Uncover edge cases, race conditions, and improper error handling during the development phase to reduce production incidents and improve reliability.
namecode-review
descriptionPerform thorough code reviews with security, performance, and maintainability analysis. Use when user asks to review code, check for bugs, or audit a codebase.

Code Review Skill

You now have expertise in conducting comprehensive code reviews. Follow this structured approach:

Review Checklist

1. Security (Critical)

Check for:

  • Injection vulnerabilities: SQL, command, XSS, template injection
  • Authentication issues: Hardcoded credentials, weak auth
  • Authorization flaws: Missing access controls, IDOR
  • Data exposure: Sensitive data in logs, error messages
  • Cryptography: Weak algorithms, improper key management
  • Dependencies: Known vulnerabilities (check with npm audit, pip-audit)
# Quick security scans
npm audit                    # Node.js
pip-audit                    # Python
cargo audit                  # Rust
grep -r "password\|secret\|api_key" --include="*.py" --include="*.js"

2. Correctness

Check for:

  • Logic errors: Off-by-one, null handling, edge cases
  • Race conditions: Concurrent access without synchronization
  • Resource leaks: Unclosed files, connections, memory
  • Error handling: Swallowed exceptions, missing error paths
  • Type safety: Implicit conversions, any types

3. Performance

Check for:

  • N+1 queries: Database calls in loops
  • Memory issues: Large allocations, retained references
  • Blocking operations: Sync I/O in async code
  • Inefficient algorithms: O(n^2) when O(n) possible
  • Missing caching: Repeated expensive computations

4. Maintainability

Check for:

  • Naming: Clear, consistent, descriptive
  • Complexity: Functions > 50 lines, deep nesting > 3 levels
  • Duplication: Copy-pasted code blocks
  • Dead code: Unused imports, unreachable branches
  • Comments: Outdated, redundant, or missing where needed

5. Testing

Check for:

  • Coverage: Critical paths tested
  • Edge cases: Null, empty, boundary values
  • Mocking: External dependencies isolated
  • Assertions: Meaningful, specific checks

Review Output Format

## Code Review: [file/component name]

### Summary
[1-2 sentence overview]

### Critical Issues
1. **[Issue]** (line X): [Description]
   - Impact: [What could go wrong]
   - Fix: [Suggested solution]

### Improvements
1. **[Suggestion]** (line X): [Description]

### Positive Notes
- [What was done well]

### Verdict
[ ] Ready to merge
[ ] Needs minor changes
[ ] Needs major revision

Common Patterns to Flag

Python

# Bad: SQL injection
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# Good:
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))

# Bad: Command injection
os.system(f"ls {user_input}")
# Good:
subprocess.run(["ls", user_input], check=True)

# Bad: Mutable default argument
def append(item, lst=[]):  # Bug: shared mutable default
# Good:
def append(item, lst=None):
    lst = lst or []

JavaScript/TypeScript

// Bad: Prototype pollution
Object.assign(target, userInput)
// Good:
Object.assign(target, sanitize(userInput))

// Bad: eval usage
eval(userCode)
// Good: Never use eval with user input

// Bad: Callback hell
getData(x => process(x, y => save(y, z => done(z))))
// Good:
const data = await getData();
const processed = await process(data);
await save(processed);

Review Commands

# Show recent changes
git diff HEAD~5 --stat
git log --oneline -10

# Find potential issues
grep -rn "TODO\|FIXME\|HACK\|XXX" .
grep -rn "password\|secret\|token" . --include="*.py"

# Check complexity (Python)
pip install radon && radon cc . -a

# Check dependencies
npm outdated  # Node
pip list --outdated  # Python

Review Workflow

  1. Understand context: Read PR description, linked issues
  2. Run the code: Build, test, run locally if possible
  3. Read top-down: Start with main entry points
  4. Check tests: Are changes tested? Do tests pass?
  5. Security scan: Run automated tools
  6. Manual review: Use checklist above
  7. Write feedback: Be specific, suggest fixes, be kind