code-review

The code-review skill provides a structured framework for auditing software repositories to ensure high engineering standards. It is designed for developers, software engineers, and QA specialists who need to perform deep-dive analysis of pull requests, legacy codebases, or new implementations. By applying a systematic, multi-dimensional evaluation approach, the agent identifies critical flaws that automated linters might miss, helping teams maintain velocity without compromising on security or stability. The skill covers a broad technical surface, including language-specific patterns for Python, JavaScript, TypeScript, and Rust, as well as general architectural best practices.

• Security Analysis: Proactively scans for SQL injection, command injection, cross-site scripting (XSS), hardcoded credentials, and missing authentication or authorization controls.

• Performance Auditing: Evaluates algorithmic efficiency, identifies N+1 query patterns in database interactions, detects memory leaks, and highlights blocking operations in asynchronous execution environments.

• Correctness and Reliability: Reviews logic for off-by-one errors, race conditions in concurrent code, improper resource handling, and insufficient error propagation or recovery paths.

• Maintainability and Quality: Ensures adherence to naming conventions, checks for excessive function complexity and nesting, identifies duplicate code blocks, and flags dead or unreachable code.

• Testing Oversight: Validates the comprehensiveness of test suites, ensuring that edge cases, boundary values, and critical paths are properly mocked and asserted.

• Usage Notes: The agent utilizes standard auditing tools like npm audit, pip-audit, cargo audit, and radon for complexity metrics. Users should provide the codebase path or specific file context for the review.

• Input/Output: Accepts source code files, directory paths, or PR diffs as input. Returns a detailed report including a summary, a categorized list of critical issues with suggested fixes, prioritized improvements, and an overall merge verdict.

• Constraints: While the agent can run static analysis, it is most effective when provided with repository access to verify environment configuration, dependencies, and project-specific coding standards.