code-review
$
npx mdskill add anthropics/knowledge-work-plugins/code-reviewAnalyzes code changes for security, performance, and correctness issues when triggered with a PR URL, diff, or file path.
- Helps developers identify vulnerabilities, inefficiencies, and bugs before merging changes.
- Integrates with PR URLs, diffs, or file paths as input sources.
- Uses structured checks for OWASP top 10, N+1 queries, edge cases, and style.
- Delivers actionable suggestions with code examples in a clear, structured format.
SKILL.md
.github/skills/code-reviewView on GitHub ↗
--- name: code-review description: Review code changes for security, performance, and correctness. Trigger with a PR URL or diff, "review this before I merge", "is this code safe?", or when checking a change for N+1 queries, injection risks, missing edge cases, or error handling gaps. argument-hint: "<PR URL, diff, or file path>" --- # /code-review > If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../../CONNECTORS.md). Review code changes with a structured lens on security, performance, correctness, and maintainability. ## Usage ``` /code-review <PR URL or file path> ``` Review the provided code changes: @$1 If no specific file or URL is provided, ask what to review. ## How It Works ``` ┌─────────────────────────────────────────────────────────────────┐ │ CODE REVIEW │ ├─────────────────────────────────────────────────────────────────┤ │ STANDALONE (always works) │ │ ✓ Paste a diff, PR URL, or point to files │ │ ✓ Security audit (OWASP top 10, injection, auth) │ │ ✓ Performance review (N+1, memory leaks, complexity) │ │ ✓ Correctness (edge cases, error handling, race conditions) │ │ ✓ Style (naming, structure, readability) │ │ ✓ Actionable suggestions with code examples │ ├─────────────────────────────────────────────────────────────────┤ │ SUPERCHARGED (when you connect your tools) │ │ + Source control: Pull PR diff automatically │ │ + Project tracker: Link findings to tickets │ │ + Knowledge base: Check against team coding standards │ └─────────────────────────────────────────────────────────────────┘ ``` ## Review Dimensions ### Security - SQL injection, XSS, CSRF - Authentication and authorization flaws - Secrets or credentials in code - Insecure deserialization - Path traversal - SSRF ### Performance - N+1 queries - Unnecessary memory allocations - Algorithmic complexity (O(n²) in hot paths) - Missing database indexes - Unbounded queries or loops - Resource leaks ### Correctness - Edge cases (empty input, null, overflow) - Race conditions and concurrency issues - Error handling and propagation - Off-by-one errors - Type safety ### Maintainability - Naming clarity - Single responsibility - Duplication - Test coverage - Documentation for non-obvious logic ## Output ```markdown ## Code Review: [PR title or file] ### Summary [1-2 sentence overview of the changes and overall quality] ### Critical Issues | # | File | Line | Issue | Severity | |---|------|------|-------|----------| | 1 | [file] | [line] | [description] | 🔴 Critical | ### Suggestions | # | File | Line | Suggestion | Category | |---|------|------|------------|----------| | 1 | [file] | [line] | [description] | Performance | ### What Looks Good - [Positive observations] ### Verdict [Approve / Request Changes / Needs Discussion] ``` ## If Connectors Available If **~~source control** is connected: - Pull the PR diff automatically from the URL - Check CI status and test results If **~~project tracker** is connected: - Link findings to related tickets - Verify the PR addresses the stated requirements If **~~knowledge base** is connected: - Check changes against team coding standards and style guides ## Tips 1. **Provide context** — "This is a hot path" or "This handles PII" helps me focus. 2. **Specify concerns** — "Focus on security" narrows the review. 3. **Include tests** — I'll check test coverage and quality too.
More from anthropics/knowledge-work-plugins
- accessibility-reviewRun a WCAG 2.1 AA accessibility audit on a design or page. Trigger with "audit accessibility", "check a11y", "is this accessible?", or when reviewing a design for color contrast, keyboard navigation, touch target size, or screen reader behavior before handoff.
- account-research"Research a company using Common Room data. Triggers on 'research [company]', 'tell me about [domain]', 'pull up signals for [account]', 'what's going on with [company]', or any account-level question."
- analyzeAnswer data questions -- from quick lookups to full analyses. Use when looking up a single metric, investigating what's driving a trend or drop, comparing segments over time, or preparing a formal data report for stakeholders.
- architectureCreate or evaluate an architecture decision record (ADR). Use when choosing between technologies (e.g., Kafka vs SQS), documenting a design decision with trade-offs and consequences, reviewing a system design proposal, or designing a new component from requirements and constraints.
- audit-supportSupport SOX 404 compliance with control testing methodology, sample selection, and documentation standards. Use when generating testing workpapers, selecting audit samples, classifying control deficiencies, or preparing for internal or external audits.
- brand-reviewReview content against your brand voice, style guide, and messaging pillars, flagging deviations by severity with specific before/after fixes. Use when checking a draft before it ships, when auditing copy for voice consistency and terminology, or when screening for unsubstantiated claims, missing disclaimers, and other legal flags.
- brand-voice-enforcement>
- briefGenerate contextual briefings for legal work — daily summary, topic research, or incident response. Use when starting your day and need a scan of legal-relevant items across email, calendar, and contracts, when researching a specific legal question across internal sources, or when a developing situation (data breach, litigation threat, regulatory inquiry) needs rapid context.
- build-dashboardBuild an interactive HTML dashboard with charts, filters, and tables. Use when creating an executive overview with KPI cards, turning query results into a shareable self-contained report, building a team monitoring snapshot, or needing multiple charts with filters in one browser-openable file.
- build-zoom-botBuild a Zoom meeting bot, recorder, or real-time media workflow. Use when joining meetings programmatically, processing live media or transcripts, or combining Meeting SDK, RTMS, and backend services.