code-review

Review code changes between commits for security, logic, performance, and style issues

9 stars

Best use case

code-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Review code changes between commits for security, logic, performance, and style issues

Teams using code-review should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/code-review/SKILL.md --create-dirs "https://raw.githubusercontent.com/jpoutrin/product-forge/main/plugins/git-workflow/skills/code-review/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/code-review/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How code-review Compares

Feature / Agentcode-reviewStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Review code changes between commits for security, logic, performance, and style issues

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

# code-review

**Category**: Development

## Usage

```bash
/code-review [<commit>] [--from <commit>] [--to <commit>]
```

## Arguments

| Argument | Default | Description |
|----------|---------|-------------|
| `<commit>` | - | Single commit to review |
| `--from` | merge-base with main | Starting commit reference |
| `--to` | HEAD | Ending commit reference |

## Examples

```bash
# Review all changes in current branch (from merge-base to HEAD)
/code-review

# Review a specific commit
/code-review abc1234

# Review a range of commits
/code-review --from abc1234 --to def5678

# Review changes since a specific commit
/code-review --from HEAD~5

# Review changes up to a specific commit
/code-review --to feature-branch
```

## Execution Method

This command delegates to the `code-review-expert` agent (Haiku model) for fast, cost-effective execution.

**Delegation**: Use the Task tool with:
- `subagent_type`: `"git-workflow:code-review-expert"`
- `model`: `"haiku"`
- `prompt`: Include the commit range and current working directory

Example:
```
Task(subagent_type="git-workflow:code-review-expert", model="haiku", prompt="Review changes from abc1234 to HEAD in /path/to/repo")
```

---

## Execution Instructions for Claude Code

When this command is run, Claude Code should:

### 1. Parse Arguments

```
SINGLE_COMMIT = first positional argument (if provided)
FROM = --from value or merge-base with main/master
TO = --to value or HEAD
```

If a single commit is provided:
- Review just that commit: `FROM = <commit>^`, `TO = <commit>`

If no arguments:
- FROM = merge-base with main (or master)
- TO = HEAD

### 2. Validate Commit References

```bash
# Verify commits exist
git rev-parse --verify "$FROM" 2>/dev/null
git rev-parse --verify "$TO" 2>/dev/null
```

If invalid, show error with suggestions.

### 3. Gather Change Information

```bash
# Get overview
git diff --stat $FROM..$TO

# Get commit history
git log --oneline $FROM..$TO

# Get full diff for analysis
git diff $FROM..$TO
```

### 4. Analyze Changes

Review each file's changes for:

**Critical Issues (must fix)**
- Security vulnerabilities (injection, XSS, auth bypass)
- Hardcoded secrets or credentials
- Data exposure risks

**High Priority (should fix)**
- Logic bugs and incorrect behavior
- Missing error handling
- Null reference issues
- Race conditions

**Medium Priority (consider fixing)**
- Performance issues (N+1 queries, inefficient loops)
- Code smells and maintainability issues
- Missing input validation

**Low Priority (optional)**
- Style inconsistencies
- Minor code improvements
- Documentation gaps

**Test Coverage**
- New code without corresponding tests
- Changed behavior without updated tests

### 5. Present Findings

Format output as:

```
Code Review: <from>..<to>
=========================

Files Changed: N (+X, -Y)
Commits: M

## Critical Issues
- [SECURITY] path/file.py:42 - SQL injection via unsanitized input

## High Priority
- [LOGIC] path/file.py:78 - Missing null check on user.profile

## Medium Priority
- [PERFORMANCE] path/file.py:120 - Queries in loop, consider batch fetch

## Low Priority
- [STYLE] path/file.py:15 - Inconsistent naming: userID vs user_id

## Test Coverage
- Missing tests for: new_feature() in path/file.py

## Suggestions
- Consider adding retry logic for external API calls

---
Overall: NEEDS_CHANGES | APPROVED_WITH_COMMENTS | APPROVED
```

### 6. Overall Assessment

- **NEEDS_CHANGES**: Critical or multiple high-priority issues found
- **APPROVED_WITH_COMMENTS**: Only medium/low issues, suggestions provided
- **APPROVED**: No significant issues found

## What to Review

| Category | Look For |
|----------|----------|
| Security | Injection, auth, secrets, data exposure |
| Logic | Bugs, error handling, edge cases |
| Performance | N+1 queries, inefficient algorithms |
| Style | Naming, consistency, complexity |
| Tests | Coverage, quality, edge cases |

## What NOT to Flag

- Subjective style preferences (unless inconsistent)
- Theoretical issues that can't happen in context
- Over-engineering suggestions
- Minor naming bikeshedding

## Error Handling

```
No changes to review
  The commits $FROM and $TO are identical.

Invalid commit reference
  Could not find commit: abc1234
  Try: git log --oneline -20

Not a git repository
  Navigate to a git repository first.
```

## Related Commands

| Command | Purpose |
|---------|---------|
| `/commit` | Create commits with conventional format |
| `/rebase` | Rebase local changes on remote |

Related Skills

review-django-commands

9
from jpoutrin/product-forge

Review Django management commands for proper structure and refactor if needed

python-code-review

9
from jpoutrin/product-forge

Python code review guidelines (security, performance, bugs, style). Auto-loads when reviewing Python code or analyzing code quality.

typescript-code-review

9
from jpoutrin/product-forge

TypeScript and React code review guidelines (type safety, React patterns, performance). Auto-loads when reviewing TypeScript/React code.

zod

9
from jpoutrin/product-forge

Zod schema validation patterns and type inference. Auto-loads when validating schemas, parsing data, validating forms, checking types at runtime, or using z.object/z.string/z.infer in TypeScript.

typescript-import-style

9
from jpoutrin/product-forge

Merge-friendly import formatting (one-per-line, alphabetical). Auto-loads when writing TypeScript/JavaScript imports to minimize merge conflicts in parallel development. Enforces consistent grouping and sorting.

setup-mcp-auth

9
from jpoutrin/product-forge

Configure authentication for an existing FastMCP server

fastmcp

9
from jpoutrin/product-forge

FastMCP TypeScript framework patterns for MCP servers. Auto-loads when building MCP servers, creating tools/resources/prompts, implementing authentication, configuring transports, or working with FastMCP in TypeScript.

add-mcp-tool

9
from jpoutrin/product-forge

Add a new tool to an existing FastMCP server with guided configuration

add-mcp-resource

9
from jpoutrin/product-forge

Add a new resource or resource template to an existing FastMCP server

plan-with-team

9
from jpoutrin/product-forge

Validate plan file ownership

privacy-compliance

9
from jpoutrin/product-forge

GDPR, CCPA, and privacy compliance guidance for data protection. Use when handling personal data, implementing consent management, or ensuring regulatory compliance across jurisdictions.

oauth

9
from jpoutrin/product-forge

OAuth 2.0 and OpenID Connect implementation patterns. Use when implementing authentication, authorization flows, or integrating with OAuth providers like Google, GitHub, or custom identity providers.