Agent skill
code-review
Code reviewer focusing on correctness, regressions, security, and test coverage - P0/P1/P2 severity
Install this agent skill to your Project
npx add-skill https://github.com/ferdiangunawan/rpi-stack/tree/main/code-review
SKILL.md
Code Review Skill
Reviews code for correctness, security, bugs, and best practices with severity ratings.
Purpose
The Code Review skill provides thorough code analysis:
┌─────────────────────────────────────────────────────────────────────────┐
│ CODE REVIEW FRAMEWORK │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ CORRECTNESS│ │ SECURITY │ │ QUALITY │ │ PATTERNS │ │
│ └────────────┘ └────────────┘ └────────────┘ └────────────┘ │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ • Logic bugs • Injection • Readability • AGENTS.md │
│ • Edge cases • Auth/Authz • Maintainable • Conventions │
│ • Regressions • Data exposure • Performance • Consistency │
│ │
│ ┌──────────────────────────────────────────────────────────────┐ │
│ │ SEVERITY RATINGS │ │
│ │ P0: Critical | P1: Important | P2: Nice-to-have │ │
│ └──────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Severity Levels
P0 - Critical (Must Fix)
Issues that MUST be fixed before merge:
- Security vulnerabilities (injection, XSS, auth bypass)
- Data corruption/loss risks
- Crashes or critical runtime errors
- Breaking changes without migration
- Business logic errors that cause wrong behavior
P1 - Important (Should Fix)
Issues that SHOULD be fixed:
- Logic errors in edge cases
- Performance issues with significant impact
- Error handling gaps
- Test coverage gaps for critical paths
- Pattern violations causing maintenance burden
P2 - Nice-to-have (Consider Fixing)
Issues that would improve code:
- Code style inconsistencies
- Minor performance improvements
- Documentation gaps
- Refactoring opportunities
- Minor pattern deviations
Review Categories
1. Correctness Review
Check for logic errors and bugs:
□ Business Logic
- Does code implement requirements correctly?
- Are calculations accurate?
- Are conditions/branching correct?
□ Edge Cases
- Null/empty handling
- Boundary conditions
- Error states
□ State Management
- State transitions correct?
- No stale state issues?
- Proper initialization?
□ Async Operations
- Race conditions?
- Proper await usage?
- Error propagation?
2. Security Review
Check for security vulnerabilities:
□ Input Validation
- All user inputs validated?
- No injection vulnerabilities?
- Proper sanitization?
□ Authentication & Authorization
- Auth checks in place?
- Proper permission checks?
- Session handling?
□ Data Protection
- Sensitive data not exposed?
- Proper encryption?
- No hardcoded secrets?
□ API Security
- Proper error messages (no info leak)?
- Rate limiting consideration?
- HTTPS enforced?
3. Quality Review
Check code quality:
□ Readability
- Clear naming?
- Reasonable function length?
- Comments where needed?
□ Maintainability
- Single responsibility?
- No code duplication?
- Testable design?
□ Performance
- No unnecessary operations?
- Proper list handling?
- Widget rebuild optimization?
□ Error Handling
- All errors caught?
- Meaningful error messages?
- Proper recovery?
4. Pattern Compliance Review (AGENTS.md)
Check adherence to project patterns:
□ State Management
- Using StateNotifier correctly?
- State class has copyWith?
- Provider properly defined?
□ Models
- Using Equatable?
- Using ReturnValue for JSON?
- Has props override?
□ Styling
- Using TypographyTheme?
- Using ColorApp?
- Using Gap/SizeApp?
□ Widget Structure
- Separate widget classes?
- No _buildX methods?
- ConsumerWidget where needed?
□ File Organization
- Correct folder structure?
- Proper file naming?
- Correct layer separation?
5. Test Coverage Review
Check test adequacy:
□ Unit Tests
- Critical logic tested?
- Edge cases covered?
- Error paths tested?
□ Widget Tests
- UI states tested?
- User interactions tested?
□ Mock Usage
- Proper mocking?
- No real API calls in tests?
Review Process
Step 1: Gather Context
1. Identify files to review
- New files created
- Modified files
- Related test files
2. Load context
- AGENTS.md patterns
- Original requirements (if available)
- Related existing code
Step 2: Systematic Review
For each file:
1. Read through completely
2. Check correctness
3. Check security
4. Check quality
5. Check patterns
6. Note all findings
Step 3: Categorize Findings
For each finding:
1. Assign severity (P0/P1/P2)
2. Identify category
3. Provide specific location
4. Explain the issue
5. Suggest fix
Step 4: Generate Report
Compile findings into structured report:
- Executive summary
- Findings by severity
- Findings by category
- Recommendations
Common Issues Checklist
Flutter/Dart Specific
□ Widget Rebuilds
- Const constructors where possible?
- Keys used appropriately?
- No expensive operations in build()?
□ Async/Await
- Proper Future handling?
- No fire-and-forget without intent?
- Cancellation handled?
□ Null Safety
- Proper null checks?
- No unnecessary null assertions (!)?
- Late variables justified?
□ Memory Leaks
- Listeners disposed?
- Controllers disposed?
- Streams closed?
Riverpod Specific
□ Provider Definition
- Correct provider type?
- Proper scoping?
- No circular dependencies?
□ State Updates
- Using copyWith correctly?
- No direct state mutation?
- Proper AsyncValue handling?
□ Ref Usage
- Using read vs watch correctly?
- No ref in async callbacks?
API/Data Specific
□ Response Handling
- All fields mapped?
- ReturnValue used correctly?
- Error responses handled?
□ Request Building
- Proper parameters?
- Headers correct?
- Body formatted correctly?
Output Template
# Code Review: {Feature/PR Name}
## Metadata
- **Date**: {YYYY-MM-DD}
- **Files Reviewed**: {count}
- **Reviewer**: Claude Code / Codex CLI
---
## Executive Summary
| Severity | Count | Status |
|----------|-------|--------|
| P0 (Critical) | {X} | {BLOCKING/CLEAR} |
| P1 (Important) | {X} | |
| P2 (Nice-to-have) | {X} | |
**Verdict**: {APPROVE / REQUEST CHANGES / NEEDS DISCUSSION}
---
## P0 - Critical Issues
{If none: "No critical issues found."}
### P0-1: {Issue Title}
**File**: `path/to/file.dart`
**Line**: {line number}
**Category**: {Security/Correctness/etc.}
**Issue**:
{Description of the problem}
**Code**:
```dart
// Current code
{problematic code}
Impact: {What could go wrong}
Suggested Fix:
// Fixed code
{corrected code}
P1 - Important Issues
P1-1: {Issue Title}
File: path/to/file.dart
Line: {line number}
Category: {category}
Issue: {description}
Suggested Fix: {fix}
P2 - Nice-to-have
P2-1: {Issue Title}
File: path/to/file.dart
Line: {line number}
Suggestion: {improvement suggestion}
Pattern Compliance
AGENTS.md Adherence
| Pattern | Status | Notes |
|---|---|---|
| State Management | ✓/✗ | {notes} |
| Model Pattern | ✓/✗ | {notes} |
| Styling | ✓/✗ | {notes} |
| Widget Structure | ✓/✗ | {notes} |
| File Organization | ✓/✗ | {notes} |
Test Coverage Assessment
| Area | Coverage | Recommendation |
|---|---|---|
| {area} | {level} | {recommendation} |
Files Reviewed
| File | Status | Issues |
|---|---|---|
path/to/file.dart |
{OK/ISSUES} | P0: {X}, P1: {X}, P2: {X} |
Recommendations
Must Do (Blocking)
- {P0 issue fix}
Should Do
- {P1 issue fix}
Consider
- {P2 improvement}
Approval Status
{APPROVED / APPROVED WITH COMMENTS / CHANGES REQUESTED}
{Final notes}
---
## Prompt
When user invokes `/code-review`, execute:
I will now conduct a thorough code review.
Gathering Context
-
Identifying files to review...
- New files: {list}
- Modified files: {list}
-
Loading project patterns from AGENTS.md...
Reviewing Code
File: {path/to/file.dart}
Correctness Check:
- Logic: {findings}
- Edge cases: {findings}
- State management: {findings}
Security Check:
- Input validation: {findings}
- Auth: {findings}
- Data protection: {findings}
Quality Check:
- Readability: {findings}
- Performance: {findings}
- Error handling: {findings}
Pattern Compliance:
- AGENTS.md adherence: {findings}
[Repeat for each file]
Summary
P0 Issues: {count}
{List critical issues}
P1 Issues: {count}
{List important issues}
P2 Issues: {count}
{List suggestions}
Verdict
{APPROVE / REQUEST CHANGES}
{Reasoning and required actions}
---
## Quick Commands
/code-review - Review recent changes /code-review path/to/file - Review specific file /code-review --staged - Review staged changes /code-review --security - Security-focused review /code-review --patterns - Pattern compliance only
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
audit-security
Security-focused audit that can run in background during implementation. Checks for vulnerabilities, auth issues, data exposure. Injects P0 findings to main agent.
rpi
Use when implementing features from Jira tickets, PRDs, or user requirements. Orchestrates Research-Plan-Implement workflow with quality gates for hallucination, overengineering, and underengineering detection.
implement
Executes implementation plan with quality checks and progress tracking. Follows AGENTS.md patterns strictly.
audit
Validates research/plan/code against overengineering, underengineering, and hallucination
audit-performance
Performance-focused audit that can run in background during implementation. Checks for inefficiencies, memory leaks, widget rebuilds. Injects P0 findings to main agent.
research
Use when needing to understand requirements before implementation. Gathers context from Jira, Confluence, codebase, and docs. Produces research document with confidence scoring.
Didn't find tool you were looking for?