code-reviewer
Perform thorough code reviews with actionable, prioritized feedback. Use when a user asks to review code, check code quality, find bugs, review a pull request, audit code for issues, or get feedback on implementation. Covers correctness, security, performance, readability, and best practices across languages.
Best use case
code-reviewer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Perform thorough code reviews with actionable, prioritized feedback. Use when a user asks to review code, check code quality, find bugs, review a pull request, audit code for issues, or get feedback on implementation. Covers correctness, security, performance, readability, and best practices across languages.
Teams using code-reviewer should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/code-reviewer/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How code-reviewer Compares
| Feature / Agent | code-reviewer | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Perform thorough code reviews with actionable, prioritized feedback. Use when a user asks to review code, check code quality, find bugs, review a pull request, audit code for issues, or get feedback on implementation. Covers correctness, security, performance, readability, and best practices across languages.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# Code Reviewer
## Overview
Perform structured code reviews that identify bugs, security issues, performance problems, and maintainability concerns. Provides prioritized, actionable feedback with specific fix suggestions.
## Instructions
When a user asks you to review code, a file, a diff, or a pull request, follow this process:
### Step 1: Understand the context
Before reviewing, determine:
- What does this code do? (feature, bugfix, refactor)
- What language and framework is it using?
- Are there tests included?
- Is this a full file or a diff/patch?
Read surrounding files if needed to understand the broader codebase context.
### Step 2: Review using this checklist
Evaluate the code against each category in order of severity:
**Correctness (Critical)**
- Logic errors, off-by-one mistakes, wrong conditions
- Unhandled null/undefined/empty cases
- Race conditions or concurrency issues
- Incorrect error handling (swallowed exceptions, wrong error types)
- Missing input validation
**Security (Critical)**
- SQL injection, XSS, command injection
- Hardcoded secrets, API keys, passwords
- Improper authentication/authorization checks
- Unsafe deserialization, path traversal
- Missing rate limiting on public endpoints
**Performance (High)**
- N+1 queries in database loops
- Unnecessary re-renders in UI components
- Missing indexes for frequent queries
- Unbounded memory growth (loading entire datasets)
- Blocking operations on the main thread
**Reliability (High)**
- Missing error handling for external calls (network, file I/O)
- No retry logic for transient failures
- Missing timeouts on HTTP requests
- Resource leaks (unclosed connections, file handles)
**Readability (Medium)**
- Unclear variable or function names
- Functions doing too many things (> 30 lines is a smell)
- Deeply nested conditionals (> 3 levels)
- Missing or misleading comments
- Inconsistent naming conventions
**Testing (Medium)**
- Missing tests for new logic
- Tests that do not assert meaningful behavior
- Missing edge case coverage
- Brittle tests coupled to implementation details
### Step 3: Format the review
Organize findings by severity. For each issue:
```
### [SEVERITY] Category: Brief title
**File:** `path/to/file.ext` line XX-YY
**Issue:** What is wrong and why it matters.
**Suggestion:**
\`\`\`language
// Suggested fix
\`\`\`
```
Severity levels: CRITICAL, HIGH, MEDIUM, LOW
### Step 4: Provide a summary
End with:
- Overall assessment (approve, request changes, or needs discussion)
- Count of issues by severity
- Top 3 things to fix before merging
## Examples
### Example 1: Review a Node.js API endpoint
**User request:** "Review this Express route handler"
**Code submitted:**
```javascript
app.post('/users', async (req, res) => {
const { name, email, role } = req.body;
const user = await db.query(
`INSERT INTO users (name, email, role) VALUES ('${name}', '${email}', '${role}')`
);
res.json(user);
});
```
**Review output:**
```
### CRITICAL Security: SQL Injection vulnerability
**File:** routes/users.js line 2-5
**Issue:** User input is interpolated directly into the SQL query string.
An attacker can inject arbitrary SQL via the name, email, or role fields.
**Suggestion:**
const user = await db.query(
'INSERT INTO users (name, email, role) VALUES ($1, $2, $3)',
[name, email, role]
);
### CRITICAL Security: No input validation
**File:** routes/users.js line 2
**Issue:** Request body fields are used without validation. Missing or
malformed data will cause database errors or store invalid records.
**Suggestion:**
if (!name || !email || !email.includes('@')) {
return res.status(400).json({ error: 'Name and valid email required' });
}
const allowedRoles = ['user', 'admin', 'editor'];
if (!allowedRoles.includes(role)) {
return res.status(400).json({ error: 'Invalid role' });
}
### HIGH Reliability: No error handling
**File:** routes/users.js line 3-5
**Issue:** If the database query fails, the error propagates as an
unhandled promise rejection, crashing the process or returning a 500
with a stack trace.
**Suggestion:**
try {
const user = await db.query(...);
res.status(201).json(user);
} catch (err) {
console.error('Failed to create user:', err);
res.status(500).json({ error: 'Failed to create user' });
}
Summary: REQUEST CHANGES
- Critical: 2, High: 1, Medium: 0
- Fix SQL injection and add input validation before merging
```
### Example 2: Review a React component
**User request:** "Review this component for any issues"
**Code submitted:**
```jsx
function UserList({ users }) {
const [search, setSearch] = useState('');
const filtered = users.filter(u =>
u.name.toLowerCase().includes(search.toLowerCase())
);
return (
<div>
<input onChange={e => setSearch(e.target.value)} />
{filtered.map(user => (
<div>{user.name} - {user.email}</div>
))}
</div>
);
}
```
**Review output:**
```
### MEDIUM Performance: Filtering runs on every render
**Issue:** The filter operation recalculates on every render, even when
unrelated state changes. For large lists this causes jank.
**Suggestion:**
const filtered = useMemo(() =>
users.filter(u =>
u.name.toLowerCase().includes(search.toLowerCase())
), [users, search]);
### MEDIUM Readability: Missing key prop on list items
**Issue:** React requires a unique key prop on list items for efficient
reconciliation. Missing keys cause incorrect re-renders and warnings.
**Suggestion:**
{filtered.map(user => (
<div key={user.id}>{user.name} - {user.email}</div>
))}
### LOW Readability: Missing input label and placeholder
**Issue:** The search input has no label or placeholder, making it
unclear what the input is for and inaccessible to screen readers.
**Suggestion:**
<label htmlFor="user-search">Search users</label>
<input
id="user-search"
placeholder="Search by name..."
onChange={e => setSearch(e.target.value)}
/>
Summary: APPROVE with suggestions
- Critical: 0, High: 0, Medium: 2, Low: 1
- Add key prop and useMemo before merging
```
## Guidelines
- Focus on issues that matter. Do not nitpick formatting if there is a linter configured.
- Always explain WHY something is a problem, not just what to change.
- Provide concrete fix suggestions, not just "this could be improved."
- Acknowledge what the code does well. Reviews should not be exclusively negative.
- When reviewing diffs, focus on changed lines but check context for integration issues.
- For large PRs (500+ lines), start with an architectural overview before line-by-line review.
- If you are unsure about a finding, say so. Do not present uncertain issues as definitive.
- Prioritize: fix all CRITICALs, fix HIGH before merge, MEDIUM/LOW can be follow-up tasks.Related Skills
wxt
Build cross-browser extensions with WXT — the modern framework for Chrome, Firefox, Safari, and Edge extensions. Use when someone asks to "build a browser extension", "Chrome extension with React", "WXT framework", "cross- browser extension", "manifest v3 extension", "build Firefox extension", or "browser extension with TypeScript". Covers content scripts, background workers, popup/options pages, storage, messaging, and publishing.
webapp-testing
Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs.
web-design-guidelines
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
vitest
Assists with unit and integration testing using Vitest, a Vite-native test runner. Use when writing tests, configuring mocks, setting up coverage, or migrating from Jest. Trigger words: vitest, unit testing, test runner, vi.fn, vi.mock, test coverage, jest replacement.
vite
Assists with configuring and using Vite as a frontend build tool for modern web applications. Use when setting up dev servers, optimizing production builds, configuring plugins, migrating from Webpack or CRA, or building component libraries. Trigger words: vite, build tool, HMR, hot module replacement, vite config, rollup, bundling.
vercel-react-best-practices
React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.
vercel-composition-patterns
React composition patterns that scale. Use when refactoring components with boolean prop proliferation, building flexible component libraries, or designing reusable APIs. Triggers on tasks involving compound components, render props, context providers, or component architecture. Includes React 19 API changes.
testing-library
Test UI components the way users interact with them using Testing Library — query by role, text, and label instead of implementation details. Use when someone asks to "test React components", "Testing Library", "user-centric testing", "test accessibility", "test without implementation details", or "render and query components in tests". Covers React Testing Library, queries, user events, async testing, and accessibility assertions.
tailwindcss
Build UIs with Tailwind CSS — utility classes, responsive design, dark mode, custom configuration, component patterns, animations, plugins, and design system setup. Use when tasks involve styling web applications, configuring design tokens, building responsive layouts, or migrating from other CSS approaches.
skill-creator
Create new skills, modify and improve existing skills, and measure skill performance. Use when users want to create a skill from scratch, edit, or optimize an existing skill, run evals to test a skill, benchmark skill performance with variance analysis, or optimize a skill's description for better triggering accuracy.
shadcn-ui
Expert guidance for integrating and building applications with shadcn/ui components, including component discovery, installation, customization, and best practices.
security-audit
Scan code for security vulnerabilities, misconfigurations, and exposed secrets. Use when a user asks to audit security, find vulnerabilities, check for OWASP issues, scan for secrets, review dependencies for CVEs, detect SQL injection, find XSS vulnerabilities, or harden an application. Covers OWASP Top 10, dependency auditing, secrets detection, and generates fix recommendations with severity ratings.