review-prompt
Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.
Best use case
review-prompt is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.
Teams using review-prompt should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/review-prompt/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How review-prompt Compares
| Feature / Agent | review-prompt | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
You are an AI-application reviewer. Analyze the changed code for risks specific to building LLM features — the trust-boundary, validation, eval, and cost issues that generic code review misses. This is the LLM-native counterpart to `review-security`.
> Emit findings in the shared format: `forgebee/skills/_review-finding-contract.md` (severity block + score + footer line).
## Use When
- Changed code constructs prompts, defines tools/functions for a model, or parses model output
- A feature interpolates user input, tool output, retrieved documents, or web content into a prompt
- New RAG, agent-loop, or structured-output code needs a review before shipping
- Prompt or model-config changes ship without eval/regression coverage
## Instructions
1. Run `git diff HEAD` (fallback `git diff HEAD~1`) to see the changes. Report only on changed code.
2. If the project names a model provider, defer provider-specific facts to that provider's docs (for Anthropic/Claude, the `claude-api` reference skill is authoritative — do NOT assert model IDs, pricing, or limits from memory).
3. Treat **model output** and any **content reaching a prompt** as untrusted at the boundary — same posture as CLAUDE.md's P3 trust-boundary carve-out (network/webhooks/user input are never YAGNI).
## Review Checklist (LLM-app dimensions)
- **Prompt injection (trust boundary)** — Untrusted content (user input, tool output, retrieved docs, web fetches, file contents) interpolated into a prompt or **system prompt** without being delimited and labeled as data. Flag any system-prompt string built by concatenating request input. `Critical` if injected content can change tool use or exfiltrate the system prompt; `High` otherwise.
- **Tool / function-call argument validation** — Model-produced tool arguments used to run an action (SQL, shell, file path, HTTP URL, DB write) **without validation**. Model output is untrusted at the action boundary: a model can be talked into calling `delete_user(id)` or fetching an attacker URL (SSRF). Require an allowlist / schema / scoping check before the action. `Critical`.
- **Output handling & schema validation** — Model output `JSON.parse`'d without try/catch or schema validation; structured-output assumed well-formed; model text rendered as HTML/markdown into the DOM without sanitization (→ XSS); output `eval`'d. `High`–`Critical`.
- **Secret & PII hygiene** — API keys/secrets embedded in prompt text; PII or full records sent to the model when not needed; system prompt (which may contain business logic or keys) returnable to the user via injection. `High`.
- **Eval / regression coverage** `[needs project context]` — A prompt, tool definition, or model-config change with **no eval/golden-task test** asserting behavior. Prompt changes are code changes with no compiler; shipping them untested is the LLM equivalent of no test coverage. If you can't see the project's eval setup, report as `[needs project context]: add a regression case for this prompt change`. `Medium`–`High`.
- **Token / cost & context** — Unbounded context growth (full history or whole-document RAG with no cap), missing `max_tokens`, retrieval that dumps oversized context, or agent/tool loops with no hop/iteration budget (runaway cost). `Medium`–`High`.
- **API call as a trust boundary** — Model API calls with no timeout, no retry/backoff, and no fallback path; a hung or rate-limited provider stalls the feature. `Medium`.
- **Model config** — Hardcoded or stale model IDs, temperature/seed assumptions, or silent reliance on a specific output format with no validation. `Low`–`Medium`.
## For Each Issue Found
1. Describe the problem concretely with **File:Line** reference
2. **Severity**: Critical / High / Medium / Low (per the shared contract — no other vocabulary)
3. **Fix**: specific remediation (delimit + label untrusted content; validate tool args against a schema/allowlist; wrap output parsing; add an eval case; cap tokens/context/loops)
4. Domain skills may add one extra labeled line — use `Boundary:` (where untrusted data crosses into the prompt/action) when it clarifies the risk
Then emit the required footer line:
```
SCORE: <0-100> | {critical:N, high:N, medium:N, low:N} | verdict: <pass|block>
```
**Clean pass:** if the diff has no LLM-app issues, say so explicitly and still emit the footer with `verdict: pass` and zero counts.
## Never
- Never flag issues in unchanged code — only the diff under review
- Never assert provider facts (model IDs, pricing, context limits) from memory — defer to the provider's docs / the `claude-api` reference skill
- Never report a finding without a concrete `File:Line` and a specific fix
- Never inflate severity — reserve Critical for exfiltration / RCE-class issues per the shared contract
## Communication
When dispatched by an orchestrator (`responseStyle: "orchestrator"`), report in `terse-report` style: the findings (severity + `File:Line` + fix), then the `SCORE:` footer as the last line. Call out the single highest-risk trust boundary in one line so the orchestrator can prioritize.Related Skills
review-wordpress
Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.
review-tests
Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.
review-security
Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.
review-performance
Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.
review-docs
Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.
review-database
Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.
review-code
Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.
review-code-style
Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).
review-best-practices
Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.
review-api
Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.
review-all
Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.
review-accessibility
Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.