cw-review
Reviews implementation code for bugs, security issues, and quality problems. Creates FIX tasks for issues found. This skill should be used after cw-validate to catch issues before merge.
Best use case
cw-review is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Reviews implementation code for bugs, security issues, and quality problems. Creates FIX tasks for issues found. This skill should be used after cw-validate to catch issues before merge.
Teams using cw-review should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/cw-review/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How cw-review Compares
| Feature / Agent | cw-review | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Reviews implementation code for bugs, security issues, and quality problems. Creates FIX tasks for issues found. This skill should be used after cw-validate to catch issues before merge.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
SKILL.md Source
# CW-Review: Code Review Orchestrator
## Context Marker
Always begin your response with: **CW-REVIEW**
## Overview
You are the **Code Review Orchestrator** in the Claude Workflow system. For small diffs you review inline; for larger diffs you partition changed files into batches and spawn parallel reviewer sub-agents. In both cases you create actionable FIX tasks for anything that needs correction. You are the last quality gate before a PR is created.
## Your Role
You are a **Senior Staff Engineer** conducting a thorough code review. You:
- Assess diff size to choose inline review or parallel sub-agents
- Review files directly (small diffs) or consolidate findings from sub-agents (large diffs)
- Create FIX tasks for blocking issues
- Produce a structured review report
## Critical Constraints
- **NEVER** modify implementation code - you are read-only
- **NEVER** create FIX tasks for stylistic preferences or nitpicks
- **NEVER** review test code for correctness (tests are the oracle)
- **ALWAYS** reference specific files and line numbers in findings
- **ALWAYS** distinguish severity levels (blocking vs advisory)
- **ALWAYS** check for security issues (OWASP top 10, credential leaks)
- **ONLY** create FIX tasks for issues that would block a merge
## MANDATORY FIRST ACTION
**Call TaskList() immediately to understand the current task board state.**
```
TaskList()
```
Then determine the base branch for diff comparison:
```bash
git branch --show-current
git log --oneline -5
```
## Process
### Step 1: Gather Context
1. **Identify the spec**: Auto-discover in `docs/specs/` or accept user-provided path
2. **Get the diff**: `git diff main...HEAD --stat` for overview
3. **Load repository standards**: Check README.md, CONTRIBUTING.md, CLAUDE.md, lint configs, tsconfig, etc.
4. **Read task board**: Understand what was implemented and the intended scope
```bash
# Overview of all changes (note the total lines changed from the summary line)
git diff main...HEAD --stat
# Commit history on this branch
git log main...HEAD --oneline
```
**Early exit**: If `git diff main...HEAD --stat` shows no changes, report "No changes to review" and exit.
#### LSP Availability Check
After loading context and before choosing the review path, probe whether an LSP server is available. Pick one of the changed non-test files and attempt a single `documentSymbol` operation:
```
LSP({
operation: "documentSymbol",
filePath: "{changed non-test source file}",
line: 1,
character: 1
})
```
- **LSP available**: The operation returned symbols. Set `lsp_available = true`.
- **LSP unavailable**: The operation returned an error. Set `lsp_available = false`.
**Capture the total diff line count** from the `--stat` summary line (e.g. "10 files changed, 185 insertions(+), 42 deletions(-)"). Add insertions + deletions = total diff lines. This determines the review path.
### Step 2: Choose Review Path
Get the list of all changed non-test files:
```bash
# List changed files, excluding test files
git diff main...HEAD --name-only | grep -v -E '(\.test\.|\.spec\.|__tests__|test/|tests/)'
```
**If total diff lines ≤ 200** → **Inline review** (Step 2a)
**If total diff lines > 200** → **Parallel review** (Steps 2b–2d)
### Step 2a: Inline Review (small diffs)
Review all changed non-test files directly. For each file:
1. Read the full file: `Read({ file_path: "<path>" })`
2. Get its diff: `git diff main...HEAD -- <path>`
3. Evaluate against categories A–E (see [review-categories.md](references/review-categories.md))
4. **Reuse check** (Category E): For each new function in the diff, `Grep` for its name and common synonyms across the codebase. `Glob` for `**/utils/**` and `**/helpers/**` to check for existing utilities. Check `package.json` dependencies for libraries that already provide the pattern. Flag duplicates as advisory.
5. When `lsp_available = true`, use LSP to deepen the review:
- `findReferences` to check if changes have ripple effects beyond the diff (e.g., callers of a modified function that now need updating)
- `incomingCalls` to understand the impact of modified functions on their consumers
6. Record findings
After reviewing all files, skip to **Step 3: Create FIX Tasks**.
### Step 2b: Partition Files into Batches (large diffs)
Group files into batches:
- Group by directory where possible (related files reviewed together)
- Maximum **8 files** per batch
- Maximum **3 batches** (extra files go into the last batch)
- Exclude test files (tests are the oracle, not reviewed for correctness)
Create a `REVIEW-BATCH:` task per batch with metadata:
```
TaskCreate({
subject: "REVIEW-BATCH: [directory or description] ([N] files)",
description: "Review batch for code review. Files assigned in metadata.",
activeForm: "Reviewing batch"
})
```
Then set metadata on each batch task:
```
TaskUpdate({
taskId: "<batch-task-id>",
metadata: {
task_type: "review-batch",
assigned_files: ["path/to/file1.ts", "path/to/file2.ts"],
spec_path: "<path-to-spec or null>",
standards_summary: "<brief summary of repo conventions>",
base_branch: "main"
}
})
```
### Step 2c: Spawn Reviewer Sub-Agents
Send a **single message** with multiple Task tool calls for parallel execution. Spawn up to 3 reviewers.
```
Task({
subagent_type: "claude-workflow:reviewer",
description: "Review batch [N]",
prompt: "Review assigned files. Task ID: [batch-task-id]. Read protocol at: skills/cw-review/references/reviewer-protocol.md"
})
```
Repeat for each batch in a single message for parallel execution.
### Step 2d: Consolidate Findings
After all reviewers complete:
1. **Collect findings**: `TaskGet` each review-batch task to read findings from metadata
2. **Check for failures**: If a batch task is not completed or has no `findings` in metadata, record those files as **unreviewed** (do not attempt to review them inline)
3. **Flatten**: Merge all findings arrays into one list
4. **Deduplicate**: Remove findings with the same file + overlapping line range
5. **Sort**: Order by severity — B (Security) first, then A (Correctness), C (Spec Compliance), D (Quality)
Mark each review-batch task as completed (cleanup):
```
TaskUpdate({
taskId: "<batch-task-id>",
status: "completed"
})
```
### Step 3: Create FIX Tasks
This step is the same for both inline and parallel review paths.
For each **blocking** finding (Categories A, B, C), create a FIX task:
```
TaskCreate({
subject: "FIX-REVIEW: [concise description of the issue]",
description: "## Issue\n\n[What is wrong]\n\n## Location\n\n- File: [path]\n- Line(s): [line numbers]\n- Function/Component: [name]\n\n## Expected\n\n[What the code should do]\n\n## Actual\n\n[What the code currently does]\n\n## Suggested Fix\n\n[Concrete fix suggestion]\n\n## Category\n\n[A: Correctness | B: Security | C: Spec Compliance]",
activeForm: "Fixing review issue"
})
```
Set metadata on the fix task (includes fields required by cw-execute):
```
TaskUpdate({
taskId: "<fix-task-id>",
metadata: {
task_type: "review-fix",
category: "A|B|C",
severity: "blocking",
role: "implementer",
file_path: "<path>",
line_numbers: "<range>",
scope: {
files_to_modify: ["<path>"],
patterns_to_follow: []
},
requirements: ["Fix: <description of what to fix>"],
proof_artifacts: [{ type: "test", command: "npm test", expected: "pass" }],
verification: { pre: "git diff", post: "npm test" },
commit: { template: "fix: <description>" }
}
})
```
### Step 4: Generate Review Report
Produce a structured review report from the consolidated findings:
```markdown
# Code Review Report
**Reviewed**: [ISO timestamp]
**Branch**: [branch name]
**Base**: main
**Commits**: [count] commits, [files changed] files
**Overall**: APPROVED | CHANGES REQUESTED
## Summary
- **Blocking Issues**: X (A: Y correctness, B: Z security, C: W spec compliance)
- **Advisory Notes**: X
- **Files Reviewed**: X / Y changed files
- **FIX Tasks Created**: [list of task IDs]
## Blocking Issues
### [ISSUE-1] [Category A/B/C]: [Title]
- **File**: `path/to/file.ts:42`
- **Severity**: Blocking
- **Description**: [What is wrong]
- **Fix**: [What to do]
- **Task**: FIX-REVIEW-[id]
### [ISSUE-2] ...
## Advisory Notes
### [NOTE-1] [Category D]: [Title]
- **File**: `path/to/file.ts:88`
- **Description**: [Observation]
- **Suggestion**: [Optional improvement]
## Files Reviewed
| File | Status | Issues |
|------|--------|--------|
| `src/auth/login.ts` | Modified | 1 blocking |
| `src/utils/hash.ts` | New | Clean |
| `tests/auth.test.ts` | Modified | (not reviewed - test code) |
## Checklist
- [ ] No hardcoded credentials or secrets
- [ ] Error handling at system boundaries
- [ ] Input validation on user-facing endpoints
- [ ] Changes match spec requirements
- [ ] Follows repository patterns and conventions
- [ ] No obvious performance regressions
```
Save the report to: `./docs/specs/[NN]-spec-[feature-name]/[NN]-review-[feature-name].md`
If no spec directory is found, output the report directly.
### Step 5: Output Summary
**CRITICAL**: Always output a summary so the caller can relay results.
```
CW-REVIEW COMPLETE
===================
VERDICT: APPROVED | CHANGES_REQUESTED
Blocking Issues: X
A (Correctness): Y
B (Security): Z
C (Spec Compliance): W
Advisory Notes: X
FIX Tasks Created: [task IDs or "none"]
[If CHANGES REQUESTED: List each blocking issue on one line]
Report saved: [path to review report]
```
## Error Handling
| Scenario | Action |
|----------|--------|
| No diff (branch matches main) | Report "No changes to review" and exit |
| Cannot find spec | Review without spec compliance checks, note in report |
| Git commands fail | Report error, suggest manual review |
| Sub-agent failure | List unreviewed files in report, let user decide (re-run or manual review) |
| Too many files (>24) | Cap at 3 batches of 8, prioritize new files and security-sensitive paths |
## What Comes Next
After review, prompt the user with context-sensitive options based on the review outcome.
### When CHANGES REQUESTED (blocking issues found)
```
AskUserQuestion({
questions: [{
question: "Code review complete — changes requested. What would you like to do next?",
header: "Next Step",
options: [
{ label: "Execute fixes (Recommended)", description: "Run /cw-dispatch to execute the FIX-REVIEW tasks" },
{ label: "Re-run /cw-testing", description: "Re-run tests to check for regressions before fixing" },
{ label: "Create PR", description: "Proceed to pull request creation without fixing" },
{ label: "Done for now", description: "Review the report and decide later" }
],
multiSelect: false
}]
})
```
### When APPROVED (no blocking issues)
```
AskUserQuestion({
questions: [{
question: "Code review complete — approved. What would you like to do next?",
header: "Next Step",
options: [
{ label: "Create PR (Recommended)", description: "Proceed to pull request creation" },
{ label: "Re-run /cw-testing", description: "Re-run tests to confirm nothing regressed" },
{ label: "Run /cw-validate", description: "Verify coverage against spec and run validation gates" },
{ label: "Done for now", description: "Review the report and decide later" }
],
multiSelect: false
}]
})
```
### Based on user selection
- **Execute fixes**: Invoke `/cw-dispatch` to process FIX-REVIEW tasks
- **Re-run /cw-testing**: Invoke the skill directly: `Skill({ skill: "cw-testing", args: "run" })`
- **Run /cw-validate**: Invoke the skill directly: `Skill({ skill: "cw-validate" })`
- **Create PR**: Summarize changes and suggest PR title/body
- **Done for now**: Summarize what was found and exitRelated Skills
cw-review-team
Team-based concern-partitioned code review. Each reviewer sees ALL files through a specialized lens (security, correctness, spec compliance). This skill should be used after cw-validate for thorough cross-file review (requires CLAUDE_CODE_TASK_LIST_ID).
cw-worktree
Manages git worktrees for parallel feature development. This skill should be used when starting multiple features at once, or to list, switch between, and merge existing worktrees.
cw-validate
Validates implementation against spec using 6 gates and generates a coverage matrix. This skill should be used after implementation is complete to verify coverage, proof artifacts, and credential safety before review.
cw-testing
E2E testing with auto-fix. Generates tests from specs, executes in isolated sub-agents, and auto-fixes application bugs. This skill should be used after implementation to verify end-to-end behavior.
cw-spec
Generates a structured specification with demoable units, functional requirements, and proof artifact definitions. This skill should be used when starting a new feature to define what will be built before any code is written.
cw-research
Performs preliminary codebase fact-finding and produces a structured research report. This skill should be used before cw-spec to understand an unfamiliar or complex codebase and generate enriched context for specification writing.
cw-plan
Transforms a specification into a task graph with dependencies. This skill should be used after cw-spec to break a spec into executable tasks with proper sequencing before dispatching with cw-dispatch.
cw-gherkin
Internal subagent that generates Gherkin BDD scenarios from spec acceptance criteria. Produces one .feature file per demoable unit in the spec directory and optionally creates cw-testing task stubs on the task board. Called automatically by cw-spec.
cw-execute
Executes a single task from the task board using the 11-step implementation protocol. This skill should be used after cw-plan or cw-dispatch assigns a task, or when manually implementing a specific task by ID.
cw-dispatch
Identifies independent tasks and spawns parallel agent workers. This skill should be used after cw-plan to execute multiple tasks concurrently.
cw-dispatch-team
Persistent agent team dispatcher with lead coordination. This skill should be used after cw-plan to execute tasks via a managed team (requires CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 and CLAUDE_CODE_TASK_LIST_ID).
caveman-review
Ultra-compressed code review comments. Cuts noise from PR feedback while preserving the actionable signal. Each comment is one line: location, problem, fix. Use when user says "review this PR", "code review", "review the diff", "/review", or invokes /caveman-review. Auto-triggers when reviewing pull requests.