Code Review Skill
Comprehensive code review for PRs, local changes, and specific files.
Usage
/review # Review uncommitted changes
/review PR #123 # Review specific PR
/review <file1> <file2> # Review specific files
Modes
| Mode | Trigger | Action |
|---|---|---|
| PR Review | PR #123, pr/123, URL | Fetch PR diff via gh |
| Local Review | No args, uncommitted changes | Review git diff |
| File Review | Specific file paths | Review listed files |
Workflow
┌─────────────────────────────────────┐
│ Step 1: Fetch Context │
│ (PR diff, git diff, or files) │
└─────────────────┬───────────────────┘
↓
┌─────────────────────────────────────┐
│ Step 2: Code Review Agent │
│ (Quality, maintainability, style) │
└─────────────────┬───────────────────┘
↓
┌─────────────────────────────────────┐
│ Step 3: Security Review Agent │
│ (Vulnerabilities, OWASP, secrets) │
└─────────────────┬───────────────────┘
↓
┌─────────────────────────────────────┐
│ Step 4: Generate Report │
│ (CRITICAL/HIGH/MEDIUM findings) │
└─────────────────┬───────────────────┘
↓
┌─────────────────────────────────────┐
│ Step 5: Suggest Fixes │
│ (Actionable recommendations) │
└─────────────────────────────────────┘
Step 1: Fetch Context
PR Review Mode
# Get PR details
gh pr view 123 --json title,body,changedFiles,additions,deletions
# Get PR diff
gh pr diff 123
# Get review comments (if any)
gh pr view 123 --json reviews
Local Changes Mode
# Staged + unstaged changes
git diff HEAD
# Or just staged
git diff --staged
File Review Mode
# Read specified files
cat file1.py file2.py
Step 2: Code Review Agent
Use Task tool with code-reviewer agent:
Task(
subagent_type="code-reviewer",
prompt="""
Review this code for:
- Code quality and readability
- Design patterns and architecture
- Error handling
- Edge cases
- Test coverage gaps
- Performance concerns
- Documentation needs
Code to review:
[diff or file contents]
"""
)
Review Checklist
Code Quality:
- Follows project conventions
- Clear naming
- Appropriate abstraction
- No code duplication
- No dead code
Logic:
- Handles edge cases
- Correct error handling
- No race conditions
- Appropriate null checks
Performance:
- No N+1 queries
- Efficient algorithms
- Appropriate caching
- No memory leaks
Testing:
- Tests cover happy path
- Tests cover error cases
- Tests cover edge cases
- Mocks are appropriate
Step 3: Security Review Agent
Use Task tool with security-reviewer agent:
Task(
subagent_type="security-reviewer",
prompt="""
Security review this code for:
- Hardcoded secrets
- SQL injection
- Command injection
- XSS vulnerabilities
- Path traversal
- Insecure deserialization
- Authentication issues
- Authorization gaps
- OWASP Top 10
Code to review:
[diff or file contents]
"""
)
Security Checklist
Secrets:
- No hardcoded API keys
- No passwords in code
- No tokens committed
- Environment variables used
Injection:
- Parameterized SQL queries
- No shell=True with user input
- Sanitized user inputs
- Safe template rendering
Access Control:
- Authentication required
- Authorization checked
- Secure session handling
- Proper CORS settings
Step 4: Generate Report
Severity levels:
- CRITICAL: Security vulnerabilities, data loss risk
- HIGH: Logic errors, significant bugs
- MEDIUM: Code quality, maintainability issues
- LOW: Style, minor improvements
Report Format
## Code Review Report
**Scope:** [PR #123 | Local changes | Files reviewed]
**Files:** [count] files, [+additions] [-deletions]
### Summary
| Severity | Count |
|----------|-------|
| CRITICAL | X |
| HIGH | X |
| MEDIUM | X |
| LOW | X |
### Critical Issues
#### CRITICAL-1: [Title]
**File:** path/to/file.py:42
**Issue:** [Description]
**Risk:** [Impact if not fixed]
**Fix:** [Recommendation]
### High Priority Issues
#### HIGH-1: [Title]
...
### Medium Priority Issues
#### MEDIUM-1: [Title]
...
### Recommendations
1. [General recommendation]
2. [General recommendation]
### Approval Status
[ ] APPROVED - Ready to merge
[ ] CHANGES REQUESTED - Fix issues above
[ ] NEEDS DISCUSSION - Architectural concerns
Step 5: Suggest Fixes
For each finding, provide actionable fix:
#### Issue: SQL Injection Risk
**Current Code:**
```python
query = f"SELECT * FROM users WHERE id = {user_id}"
Fixed Code:
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))
Why: Parameterized queries prevent SQL injection.
## Integration Points
- **code-reviewer agent:** Quality review
- **security-reviewer agent:** Security scan
- **gh CLI:** PR operations
## Examples
### Review PR
/review PR #123
→ gh pr view 123 --json ... → gh pr diff 123 → Code review agent analyzes → Security review agent scans → Report generated
Code Review Report
Scope: PR #123 - Add user authentication Files: 5 files, +342 -12
Critical Issues
None found.
High Priority Issues
HIGH-1: Missing rate limiting on login endpoint
Approval Status
[ ] CHANGES REQUESTED
### Review Local Changes
/review
→ git diff HEAD → Code review agent analyzes → Security review agent scans → Report generated
Code Review Report
Scope: Local uncommitted changes Files: 2 files, +45 -10
Summary
All checks passed.
Approval Status
[x] APPROVED - Ready to commit
### Review Specific Files
/review src/auth/login.py src/auth/session.py
→ Read both files → Full file review (not just diff) → Report generated