Agent skill

dotnet-code-review

Review .NET changes for bugs, regressions, architectural drift, missing tests, incorrect async or disposal behavior, and platform-specific pitfalls before you approve or merge them.

View SKILL.md on GitHub Repository
Stars 302
Forks 22

Install this agent skill to your Project

npx add-skill https://github.com/managedcode/dotnet-skills/tree/main/catalog/Platform/Code-Review/skills/dotnet-code-review

SKILL.md

.NET Code Review

Trigger On

  • reviewing a pull request or patch in a .NET repository
  • checking for behavioral regressions, API misuse, or missing tests
  • auditing architectural or framework-specific correctness

References

  • checklist.md - comprehensive code review checklist organized by risk priority
  • patterns.md - common patterns and anti-patterns for async, disposal, and security

Workflow

  1. Prioritize correctness, data loss, concurrency, security, lifecycle, and platform-compatibility issues before style concerns. Use the checklist P0-P2 categories first.
  2. Check async flows, cancellation propagation, exception handling, disposal, and transient versus singleton lifetime mistakes. Refer to patterns.md for common pitfalls.
  3. Verify tests cover the changed behavior, not only the happy path or refactored implementation details.
  4. Inspect framework-specific boundaries such as EF query translation, ASP.NET middleware order, Blazor render state, or MAUI UI-thread access.
  5. Call out missing observability, migration risk, or runtime configuration drift when those are part of the change.
  6. Keep findings concrete, reproducible, and tied to specific files or behavior.

Key Review Patterns

Async Code

  • Async must propagate through the entire call chain; never use .Result, .Wait(), or .GetAwaiter().GetResult() in async contexts
  • Always propagate CancellationToken parameters
  • Use ConfigureAwait(false) in library code
  • Never use async void except for event handlers

Resource Disposal

  • Use using declarations or statements for all IDisposable resources
  • Use await using for IAsyncDisposable resources
  • Use IHttpClientFactory instead of creating HttpClient directly
  • Unsubscribe event handlers to prevent memory leaks
  • Validate DI service lifetimes to prevent captured dependencies

Security

  • Use parameterized queries or EF to prevent SQL injection
  • Validate all user input at system boundaries
  • Prevent path traversal by validating resolved paths stay within allowed directories
  • Never hardcode secrets; use configuration and secret management
  • Enforce authorization checks before accessing protected resources

Deliver

  • ranked review findings with file references
  • clear residual risks and test gaps
  • brief summary of what changed only after findings

Validate

  • findings describe user-visible or maintainability-impacting risk
  • assumptions are stated when repo context is incomplete
  • no trivial style nit hides a more serious issue

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

managedcode/dotnet-skills

dotnet-project-setup

Create or reorganize .NET solutions with clean project boundaries, repeatable SDK settings, and a maintainable baseline for libraries, apps, tests, CI, and local development.

302 22
Explore
managedcode/dotnet-skills

csharp-scripts

Run single-file C# programs as scripts (file-based apps) for quick experimentation, prototyping, and concept testing. Use when the user wants to write and execute a small C# program without creating a full project.

302 22
Explore
managedcode/dotnet-skills

dotnet-pinvoke

Correctly call native (C/C++) libraries from .NET using P/Invoke and LibraryImport. Covers function signatures, string marshalling, memory lifetime, SafeHandle, and cross-platform patterns. USE FOR: writing new P/Invoke or LibraryImport declarations, reviewing or debugging existing native interop code, wrapping a C or C++ library for use in .NET, diagnosing crashes, memory leaks, or corruption at the managed/native boundary. DO NOT USE FOR: COM interop, C++/CLI mixed-mode assemblies, or pure managed code with no native dependencies.

302 22
Explore
managedcode/dotnet-skills

nuget-trusted-publishing

Set up NuGet trusted publishing (OIDC) on a GitHub Actions repo — replaces long-lived API keys with short-lived tokens. USE FOR: trusted publishing, NuGet OIDC, keyless NuGet publish, migrate from NuGet API key, NuGet/login, secure NuGet publishing. DO NOT USE FOR: publishing to private feeds or Azure Artifacts (OIDC is nuget.org only). INVOKES: shell (powershell or bash), edit, create, ask_user for guided repo setup.

302 22
Explore
managedcode/dotnet-skills

dotnet-legacy-aspnet

Maintain classic ASP.NET applications on .NET Framework, including Web Forms, older MVC, and legacy hosting patterns, while planning realistic modernization boundaries.

302 22
Explore
managedcode/dotnet-skills

mcp-csharp-debug

Run and debug C# MCP servers locally. Covers IDE configuration, MCP Inspector testing, GitHub Copilot Agent Mode integration, logging setup, and troubleshooting. USE FOR: running MCP servers locally with dotnet run, configuring VS Code or Visual Studio for MCP debugging, testing tools with MCP Inspector, testing with GitHub Copilot Agent Mode, diagnosing tool registration issues, setting up mcp.json configuration, debugging MCP protocol messages, configuring logging for stdio and HTTP servers. DO NOT USE FOR: creating new MCP servers (use mcp-csharp-create), writing automated tests (use mcp-csharp-test), publishing or deploying to production (use mcp-csharp-publish).

302 22
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results