Skill: code-review

Purpose: Perform comprehensive code reviews covering security, style, performance, and best practices.

When to use this Skill

Use this Skill when:

• Reviewing code changes before commit or merge.
• Auditing existing code for issues.
• Checking for security vulnerabilities.
• Ensuring code follows project conventions.

Review workflow

1. Gather context

Before reviewing:

# See what changed
git diff --stat
git diff

# Or for specific files
git diff path/to/file

Understand:

• What is the purpose of these changes?
• Which files are affected?
• What is the expected behavior?

2. Security audit

Check for:

• Injection vulnerabilities: SQL, command, XSS.
• Authentication issues: Weak auth, missing checks.
• Authorization flaws: Missing permission checks.
• Sensitive data exposure: Hardcoded secrets, logs.
• Insecure dependencies: Known vulnerabilities.

Red flags:

• String concatenation in queries.
• eval(), exec(), or similar.
• Hardcoded credentials or API keys.
• Missing input validation.
• Overly permissive CORS.

3. Style check

Verify:

• Naming conventions: Clear, consistent names.
• Code formatting: Consistent indentation, spacing.
• Documentation: Comments where needed.
• File organization: Logical structure.
• Import ordering: Consistent imports.

4. Performance review

Look for:

• N+1 queries: Database access in loops.
• Unnecessary computation: Repeated calculations.
• Memory issues: Large allocations, leaks.
• Blocking operations: Sync in async contexts.
• Inefficient algorithms: O(n²) where O(n) possible.

5. Best practices

Check:

• Error handling: Proper try/catch, error types.
• Logging: Appropriate log levels.
• Testing: Test coverage for changes.
• DRY principle: No unnecessary duplication.
• Single responsibility: Functions do one thing.

6. Generate report

Summarize findings by severity:

## Code Review Summary

### Critical (must fix)
- None found

### High (should fix)
- SQL injection risk in UserService.ts:42

### Medium (consider fixing)
- Function exceeds 50 lines in ApiHandler.ts:120

### Low (nice to have)
- Consider extracting magic number to constant

### Info
- Good use of early returns in validation logic

Severity levels

Common patterns

SQL injection

Bad:

const query = `SELECT * FROM users WHERE id = ${userId}`;

Good:

const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

XSS vulnerability

Bad:

element.innerHTML = userInput;

Good:

element.textContent = userInput;

N+1 query

Bad:

const users = await getUsers();
for (const user of users) {
  user.posts = await getPosts(user.id);
}

Good:

const users = await getUsersWithPosts();

Missing error handling

Bad:

const data = JSON.parse(input);

Good:

try {
  const data = JSON.parse(input);
} catch (error) {
  logger.error('Invalid JSON input', { error });
  throw new ValidationError('Invalid input format');
}

Integration

With autonomous-ci

1. Make changes.
2. Run code-review to check.
3. Fix issues found.
4. Run autonomous-ci to verify.

With smart-commit

1. Make changes.
2. Run code-review to check.
3. Fix issues.
4. Use smart-commit to commit.

Checklist

Complete review checklist:

• Security vulnerabilities checked.
• Code style verified.
• Performance issues identified.
• Error handling reviewed.
• Test coverage assessed.
• Documentation checked.
• Report generated with findings.