Code Review Checklist

Runs a systematic checklist review on any code diff or file, covering correctness, security, performance, and readability.

8 stars

Best use case

Code Review Checklist is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Runs a systematic checklist review on any code diff or file, covering correctness, security, performance, and readability.

Teams using Code Review Checklist should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/code-review-checklist/SKILL.md --create-dirs "https://raw.githubusercontent.com/Notysoty/openagentskills/main/skills/code-review-checklist/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/code-review-checklist/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Code Review Checklist Compares

Feature / AgentCode Review ChecklistStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Runs a systematic checklist review on any code diff or file, covering correctness, security, performance, and readability.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

SKILL.md Source

# Code Review Checklist

## What this skill does

This skill directs the agent to perform a structured code review using a proven checklist. It catches bugs, security issues, performance problems, and readability concerns that are easy to miss in a quick scan. The output is a prioritized list of findings — not vague suggestions, but specific line-level feedback with clear explanations.

Use this before merging a PR, after a refactor, or any time you want a second opinion on code quality.

## How to use

### Claude Code / Cline

Copy this file to `.agents/skills/code-review-checklist/SKILL.md` in your project root.

Then ask the agent:
- *"Review this file using the Code Review Checklist skill."*
- *"Run the Code Review Checklist skill on my PR diff."*

### Cursor

Add the contents of the "Prompt / Instructions" section below to your `.cursorrules` file, then open the file you want reviewed and ask Cursor to review it.

### Codex

Paste the code and the instructions from the section below into the Codex chat.

## The Prompt / Instructions for the Agent

When asked to review code, work through each section of this checklist in order. For every issue found, output:

- **Severity**: `critical` | `major` | `minor` | `nit`
- **Location**: file name and line number(s)
- **Issue**: one-sentence description
- **Suggestion**: what to do instead

---

### 1. Correctness

- [ ] Does the logic match the intended behavior (based on function name, comments, or context)?
- [ ] Are there off-by-one errors in loops or array accesses?
- [ ] Are all code paths handled, including edge cases (empty input, null, zero, negative numbers)?
- [ ] Are async operations properly awaited? Could there be race conditions?
- [ ] Are errors caught and handled appropriately, or silently swallowed?

### 2. Security

- [ ] Is any user input used in SQL queries, shell commands, or file paths without sanitization?
- [ ] Are secrets, API keys, or passwords hardcoded or logged?
- [ ] Are authentication and authorization checks in place before sensitive operations?
- [ ] Is output properly escaped before being rendered in HTML (XSS)?
- [ ] Are dependencies pinned to known-good versions?

### 3. Performance

- [ ] Are there any N+1 query patterns (a query inside a loop)?
- [ ] Is expensive work (network calls, heavy computation) done unnecessarily on every request?
- [ ] Are large data structures being copied when a reference would suffice?
- [ ] Are there obvious opportunities for caching or memoization?

### 4. Readability & Maintainability

- [ ] Are variable and function names descriptive and consistent with the surrounding codebase?
- [ ] Is any logic complex enough to warrant a comment but currently unexplained?
- [ ] Are there magic numbers or strings that should be named constants?
- [ ] Is the function doing more than one thing (violates single-responsibility)?
- [ ] Is there dead code, commented-out code, or TODO comments that should be resolved?

### 5. Tests

- [ ] Are the critical paths covered by tests?
- [ ] Do the tests actually assert meaningful behavior, or just that no error was thrown?
- [ ] Are edge cases (empty input, error states) tested?

---

After completing the checklist, output a **summary** with:
1. Total findings by severity
2. The top 3 issues to fix first (highest severity / most impactful)
3. An overall assessment: `Approve` | `Approve with minor fixes` | `Needs changes`

If no issues are found in a section, write "✓ No issues found" for that section rather than skipping it.

## Example

**Input to Agent:**
> "Use the Code Review Checklist skill on this function:
>
> ```typescript
> async function getUser(id: string) {
>   const query = `SELECT * FROM users WHERE id = '${id}'`;
>   const result = await db.raw(query);
>   return result.rows[0];
> }
> ```"

**Output from Agent:**

**Correctness**
- **Major** | Line 3 | No null check on `result.rows[0]` — returns `undefined` if user not found, which may cause downstream errors. | Return `null` explicitly or throw a `NotFoundError`.

**Security**
- **Critical** | Line 2 | SQL injection vulnerability — `id` is interpolated directly into the query string. | Use a parameterized query: `db.raw('SELECT * FROM users WHERE id = ?', [id])`.

**Performance**
- **Minor** | Line 2 | `SELECT *` fetches all columns even if only a few are needed. | Specify the columns you actually use.

**Summary**
- 1 critical, 1 major, 1 minor
- Top issues: SQL injection (critical), missing null check (major), over-fetching columns (minor)
- **Assessment: Needs changes**

## Notes

- If the diff is large, focus on files with the most business logic first.
- For nitpicks (formatting, naming), group them at the end rather than interspersing them with real issues.
- This skill does not run linters or static analysis — it is a reasoning-based review. For automated checks, run your existing lint/test pipeline first.

Related Skills

Responsive Layout Reviewer

8
from Notysoty/openagentskills

Reviews HTML/CSS or component code for responsive design issues across mobile, tablet, and desktop breakpoints.

React Component Reviewer

8
from Notysoty/openagentskills

Analyzes React components for performance, accessibility, and modern hook usage.

Observability Checklist

8
from Notysoty/openagentskills

Reviews a service or codebase against a full observability checklist — logs, metrics, traces, and alerting gaps.

Hallucination Risk Reviewer

8
from Notysoty/openagentskills

Reviews an AI-generated response or LLM application output for factual risks, hallucination patterns, and confidence calibration issues.

Database Schema Reviewer

8
from Notysoty/openagentskills

Reviews database schemas for normalization issues, missing indexes, naming inconsistencies, and scalability risks.

Unit Test Writer

8
from Notysoty/openagentskills

Generates comprehensive unit tests for any function or module with edge cases.

Unit Test Improver

8
from Notysoty/openagentskills

Reviews existing unit tests for gaps, weak assertions, and missing edge cases, then rewrites them to be more robust.

Troubleshooting Guide Builder

8
from Notysoty/openagentskills

Builds a structured troubleshooting guide with symptom → cause → fix format for any tool or system.

Tech Debt Auditor

8
from Notysoty/openagentskills

Identifies and prioritizes technical debt in a codebase with an effort/impact matrix.

Technical Blog Post Writer

8
from Notysoty/openagentskills

Writes engaging, accurate technical blog posts targeted at developer audiences.

Stack Trace Analyzer

8
from Notysoty/openagentskills

Interprets error stack traces to pinpoint root cause, explain what went wrong, and suggest fixes.

SQL Query Optimizer

8
from Notysoty/openagentskills

Reviews SQL queries for performance issues and rewrites them with optimized execution plans.