review-all
Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.
Best use case
review-all is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.
Teams using review-all should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/review-all/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How review-all Compares
| Feature / Agent | review-all | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Full Review — Pre-Push Quality Gate
## Objective
Find bugs, security holes, performance issues, and quality problems in changed code. Every issue has a file:line reference and a recommended fix. Runs inline — leverages session context (what you've been editing, why, what trade-offs were discussed).
**Success looks like:** A clear READY/NEEDS FIXES/BLOCKED verdict with actionable items.
> Findings (own and delegated) use the shared format: `forgebee/skills/_review-finding-contract.md`. As the aggregator, sum the per-skill footer counts into one combined footer so `/audit-self` can parse the whole pass.
## Karpathy Principle (P2 — Senior Engineer Test)
Before issuing a `READY` verdict, ask explicitly: **would a senior engineer call this overcomplicated?** If yes, the verdict is `NEEDS FIXES` — list the simplification as a `High` issue. Do not pass overcomplicated code on the grounds that it "works."
## Never
- Never flag issues in unchanged code — only review the diff
- Never skip a review section because the change "looks small"
- Never give READY verdict if any Critical issue is open
- Never nitpick stylistic preferences — focus on substance
## Calibration
Only flag issues that actually matter. Use this severity guide:
| Severity | Blocks push? | Examples |
|----------|-------------|----------|
| **Critical** | YES — must fix | SQL injection, secret exposure, data loss, broken auth |
| **High** | YES — must fix | Missing error handling on external calls, N+1 queries, XSS |
| **Medium** | No — recommend fix | DRY violations, missing edge cases, unclear naming |
| **Low** | No — informational | Missing docblocks, minor style issues, optional optimizations |
Only Critical and High block the push. Medium and Low are recommendations — mention them briefly, don't belabor them. If the diff is clean on Critical/High, say READY even if there are Medium/Low items.
**Anti-patterns to avoid:**
- Flagging pre-existing issues in unchanged code
- Suggesting refactors unrelated to the change
- Reporting style issues as High severity
- Reviewing more than 3 iterations on the same diff
## Engineering Preferences
- DRY is important — flag repetition aggressively (but as Medium, not Critical)
- Code should be "engineered enough" — not fragile, not over-abstracted
- Handle edge cases — err on the side of more, not fewer
- Explicit over clever — readability wins
## Before Starting
1. Check session context — what files have been discussed? What was the goal?
2. Run `git diff HEAD` to see all uncommitted changes. If none, run `git diff HEAD~1` for the last commit.
3. Run `git log --oneline -5` for context.
4. Only report issues on **changed code**.
## Review Sections
Work through each section systematically.
### 1. CODE QUALITY
- Code organization and module structure
- DRY violations
- Error handling patterns and missing edge cases
- Areas that are over-engineered or under-engineered
- Naming and readability
### 2. PERFORMANCE
- N+1 queries and database access patterns
- Missing caching opportunities
- Memory concerns and expensive loops
- Slow or high-complexity code paths
### 3. SECURITY
- Injection vulnerabilities (SQL, XSS, command)
- Unescaped output, missing sanitization
- Hardcoded secrets, broken auth
- CSRF, access control issues
- Framework-specific sanitization and escaping
### 4. ACCESSIBILITY (if UI changes)
- Missing alt text, ARIA labels
- Keyboard navigation, focus management
- Color contrast, semantic HTML
- WCAG 2.1 AA compliance
### 5. DOCUMENTATION (brief — don't over-flag)
- Missing/outdated docblocks on public APIs
- Undocumented complex logic
### 6. BEST PRACTICES
- SOLID principles violations that affect maintainability
- Coding standards for the project's language/framework
- File organization, separation of concerns
## For Large Diffs (>500 lines changed)
Delegate to specialized review skills with `context:fork` for parallel deep review.
Map the change type to the skill so high-blast-radius areas (schema, public API, untested code) always get a deep pass — mirror checkpoint-preview's `[schema]` / `[public API]` hot-spot tags:
| Change includes… | Delegate to |
|---|---|
| auth, sessions, secrets, user-data handling | `review-security` |
| DB-heavy code, hot loops, render paths | `review-performance` |
| SQL migrations, schema changes, RLS/policies, ORM access | `review-database` |
| new/changed route handlers, REST/GraphQL endpoints, API contracts | `review-api` |
| new code paths or changed test files (or new code with no tests) | `review-tests` |
| UI components, markup, interaction | `review-accessibility` |
| WordPress plugin/theme files | `review-wordpress` |
| prompts, tool definitions, LLM calls, model output handling | `review-prompt` |
Synthesize their findings into your final report.
## For Each Issue Found
1. Describe the problem concretely, with **file and line references**
2. Present **2-3 options**, including "do nothing" where reasonable
3. Give your **recommended option and why**
4. Assign severity (Critical/High/Medium/Low)
## Example (Critical vs Low)
```
[Critical] Auth check missing on a state-changing route
File: src/routes/admin.ts:14
Issue: `POST /admin/users/:id/role` updates roles with no session/permission check — any caller can grant themselves admin.
Fix: Require an authenticated session and `requireRole('admin')` before the handler runs.
[Low] Console.log left in shipped code path
File: src/lib/cart.ts:27
Issue: `console.log(cart)` in the add-to-cart path leaks state to the browser console.
Fix: Remove it or route through the project logger gated to dev.
```
## Final Summary
```markdown
## Review: [Target]
### Verdict: READY | NEEDS FIXES | BLOCKED
**Quality score:** <0-100> (per `_review-finding-contract.md` — same scale as the footer below)
### Blocking Issues (Critical + High)
| # | Issue | File:Line | Severity | Fix |
|---|-------|-----------|----------|-----|
### Recommendations (Medium + Low)
| # | Issue | File:Line | Severity | Suggestion |
|---|-------|-----------|----------|------------|
### Positive Notes
[What's done well — always include at least 2]
```
End with the combined machine-parseable footer from the shared contract (counts summed across all sections and any delegated review skills):
```
SCORE: <0-100> | {critical:N, high:N, medium:N, low:N} | verdict: <pass|block>
```
`READY` maps to `verdict: pass`; `NEEDS FIXES`/`BLOCKED` map to `verdict: block`.
## Communication
When working on a team, report:
- Push readiness verdict
- Critical blockers (if any)
- Issue count by category and severityRelated Skills
review-wordpress
Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.
review-tests
Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.
review-security
Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.
review-prompt
Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.
review-performance
Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.
review-docs
Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.
review-database
Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.
review-code
Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.
review-code-style
Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).
review-best-practices
Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.
review-api
Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.
review-accessibility
Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.