Agent skill

code-review

Review code changes for security, performance, and correctness. Trigger with a PR URL or diff, "review this before I merge", "is this code safe?", or when checking a change for N+1 queries, injection risks, missing edge cases, or error handling gaps.

Stars 10,807
Forks 1,224

Install this agent skill to your Project

npx add-skill https://github.com/anthropics/knowledge-work-plugins/tree/main/engineering/skills/code-review

SKILL.md

/code-review

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Review code changes with a structured lens on security, performance, correctness, and maintainability.

Usage

/code-review <PR URL or file path>

Review the provided code changes: @$1

If no specific file or URL is provided, ask what to review.

How It Works

┌─────────────────────────────────────────────────────────────────┐
│                      CODE REVIEW                                   │
├─────────────────────────────────────────────────────────────────┤
│  STANDALONE (always works)                                       │
│  ✓ Paste a diff, PR URL, or point to files                      │
│  ✓ Security audit (OWASP top 10, injection, auth)               │
│  ✓ Performance review (N+1, memory leaks, complexity)           │
│  ✓ Correctness (edge cases, error handling, race conditions)    │
│  ✓ Style (naming, structure, readability)                        │
│  ✓ Actionable suggestions with code examples                    │
├─────────────────────────────────────────────────────────────────┤
│  SUPERCHARGED (when you connect your tools)                      │
│  + Source control: Pull PR diff automatically                    │
│  + Project tracker: Link findings to tickets                     │
│  + Knowledge base: Check against team coding standards           │
└─────────────────────────────────────────────────────────────────┘

Review Dimensions

Security

  • SQL injection, XSS, CSRF
  • Authentication and authorization flaws
  • Secrets or credentials in code
  • Insecure deserialization
  • Path traversal
  • SSRF

Performance

  • N+1 queries
  • Unnecessary memory allocations
  • Algorithmic complexity (O(n²) in hot paths)
  • Missing database indexes
  • Unbounded queries or loops
  • Resource leaks

Correctness

  • Edge cases (empty input, null, overflow)
  • Race conditions and concurrency issues
  • Error handling and propagation
  • Off-by-one errors
  • Type safety

Maintainability

  • Naming clarity
  • Single responsibility
  • Duplication
  • Test coverage
  • Documentation for non-obvious logic

Output

markdown
## Code Review: [PR title or file]

### Summary
[1-2 sentence overview of the changes and overall quality]

### Critical Issues
| # | File | Line | Issue | Severity |
|---|------|------|-------|----------|
| 1 | [file] | [line] | [description] | 🔴 Critical |

### Suggestions
| # | File | Line | Suggestion | Category |
|---|------|------|------------|----------|
| 1 | [file] | [line] | [description] | Performance |

### What Looks Good
- [Positive observations]

### Verdict
[Approve / Request Changes / Needs Discussion]

If Connectors Available

If ~~source control is connected:

  • Pull the PR diff automatically from the URL
  • Check CI status and test results

If ~~project tracker is connected:

  • Link findings to related tickets
  • Verify the PR addresses the stated requirements

If ~~knowledge base is connected:

  • Check changes against team coding standards and style guides

Tips

  1. Provide context — "This is a hot path" or "This handles PII" helps me focus.
  2. Specify concerns — "Focus on security" narrows the review.
  3. Include tests — I'll check test coverage and quality too.

Expand your agent's capabilities with these related and highly-rated skills.

anthropics/knowledge-work-plugins

view-pdf

Interactive PDF viewer. Use when the user wants to open, show, or view a PDF and collaborate on it visually — annotate, highlight, stamp, fill form fields, place signature/initials, or review markup together. Not for summarization or text extraction (use native Read instead).

10,807 1,224
Explore
anthropics/knowledge-work-plugins

signature-request

Prepare and route a document for e-signature — run a pre-signature checklist, configure signing order, and send for execution. Use when a contract is finalized and ready to sign, when verifying entity names, exhibits, and signature blocks before sending, or when setting up an envelope with sequential or parallel signers.

10,807 1,224
Explore
anthropics/knowledge-work-plugins

brief

Generate contextual briefings for legal work — daily summary, topic research, or incident response. Use when starting your day and need a scan of legal-relevant items across email, calendar, and contracts, when researching a specific legal question across internal sources, or when a developing situation (data breach, litigation threat, regulatory inquiry) needs rapid context.

10,807 1,224
Explore
anthropics/knowledge-work-plugins

legal-risk-assessment

Assess and classify legal risks using a severity-by-likelihood framework with escalation criteria. Use when evaluating contract risk, assessing deal exposure, classifying issues by severity, or determining whether a matter needs senior counsel or outside legal review.

10,807 1,224
Explore
anthropics/knowledge-work-plugins

triage-nda

Rapidly triage an incoming NDA and classify it as GREEN (standard approval), YELLOW (counsel review), or RED (full legal review). Use when a new NDA arrives from sales or business development, when screening for embedded non-solicits, non-competes, or missing carveouts, or when deciding whether an NDA can be signed under standard delegation.

10,807 1,224
Explore
anthropics/knowledge-work-plugins

compliance-check

Run a compliance check on a proposed action, product feature, or business initiative, surfacing applicable regulations, required approvals, and risk areas. Use when launching a feature that touches personal data, when marketing or product proposes something with regulatory implications, or when you need to know which approvals and jurisdictional requirements apply before proceeding.

10,807 1,224
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results