home / skills / onewave-ai / claude-skills / code-review-pro

code-review-pro skill

safe

This skill performs comprehensive code reviews for security, performance, and maintainability, delivering actionable fixes and refactoring suggestions.

npx playbooks add skill onewave-ai/claude-skills --skill code-review-pro

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

5.1 KB

---
name: code-review-pro
description: Comprehensive code review covering security vulnerabilities, performance bottlenecks, best practices, and refactoring opportunities. Use when user requests code review, security audit, or performance analysis.
---

# Code Review Pro

Deep code analysis covering security, performance, maintainability, and best practices.

## When to Use This Skill

Activate when the user:
- Asks for a code review
- Wants security vulnerability scanning
- Needs performance analysis
- Asks to "review this code" or "audit this code"
- Mentions finding bugs or improvements
- Wants refactoring suggestions
- Requests best practice validation

## Instructions

1. **Security Analysis (Critical Priority)**
   - SQL injection vulnerabilities
   - XSS (cross-site scripting) risks
   - Authentication/authorization issues
   - Secrets or credentials in code
   - Unsafe deserialization
   - Path traversal vulnerabilities
   - CSRF protection
   - Input validation gaps
   - Insecure cryptography
   - Dependency vulnerabilities

2. **Performance Analysis**
   - N+1 query problems
   - Inefficient algorithms (check Big O complexity)
   - Memory leaks
   - Unnecessary re-renders (React/Vue)
   - Missing indexes (database queries)
   - Blocking operations
   - Resource cleanup (file handles, connections)
   - Caching opportunities
   - Excessive network calls
   - Large bundle sizes

3. **Code Quality & Maintainability**
   - Code duplication (DRY violations)
   - Function/method length (should be <50 lines)
   - Cyclomatic complexity
   - Unclear naming
   - Missing error handling
   - Inconsistent style
   - Missing documentation
   - Hard-coded values that should be constants
   - God classes/functions
   - Tight coupling

4. **Best Practices**
   - Language-specific idioms
   - Framework conventions
   - SOLID principles
   - Design patterns usage
   - Testing approach
   - Logging and monitoring
   - Accessibility (for UI code)
   - Type safety
   - Null/undefined handling

5. **Bugs and Edge Cases**
   - Logic errors
   - Off-by-one errors
   - Race conditions
   - Null pointer exceptions
   - Unhandled edge cases
   - Timezone issues
   - Encoding problems
   - Floating point precision

6. **Provide Actionable Fixes**
   - Show specific code changes
   - Explain why change is needed
   - Include before/after examples
   - Prioritize by severity

## Output Format

```markdown
# Code Review Report

## 🚨 Critical Issues (Fix Immediately)
### 1. SQL Injection Vulnerability (line X)
**Severity**: Critical
**Issue**: User input directly concatenated into SQL query
**Impact**: Database compromise, data theft

**Current Code:**
```javascript
const query = `SELECT * FROM users WHERE email = '${userEmail}'`;
```

**Fixed Code:**
```javascript
const query = 'SELECT * FROM users WHERE email = ?';
db.query(query, [userEmail]);
```

**Explanation**: Always use parameterized queries to prevent SQL injection.

## ⚠️ High Priority Issues
### 2. Performance: N+1 Query Problem (line Y)
[Details...]

## 💡 Medium Priority Issues
### 3. Code Quality: Function Too Long (line Z)
[Details...]

## ✅ Low Priority / Nice to Have
### 4. Consider Using Const Instead of Let
[Details...]

## 📊 Summary
- **Total Issues**: 12
  - Critical: 2
  - High: 4
  - Medium: 4
  - Low: 2

## 🎯 Quick Wins
Changes with high impact and low effort:
1. [Fix 1]
2. [Fix 2]

## 🏆 Strengths
- Good error handling in X
- Clear naming conventions
- Well-structured modules

## 🔄 Refactoring Opportunities
1. **Extract Method**: Lines X-Y could be extracted into `calculateDiscount()`
2. **Remove Duplication**: [specific code blocks]

## 📚 Resources
- [OWASP SQL Injection Guide](https://...)
- [Performance Best Practices](https://...)
```

## Examples

**User**: "Review this authentication code"
**Response**: Analyze auth logic → Identify security issues (weak password hashing, no rate limiting) → Check token handling → Note missing CSRF protection → Provide specific fixes with code examples → Prioritize by severity

**User**: "Can you find performance issues in this React component?"
**Response**: Analyze component → Identify unnecessary re-renders → Find missing useMemo/useCallback → Note large state objects → Check for expensive operations in render → Provide optimized version with explanations

**User**: "Review this API endpoint"
**Response**: Check input validation → Analyze error handling → Test for SQL injection → Review authentication → Check rate limiting → Examine response structure → Suggest improvements with code samples

## Best Practices

- Always prioritize security issues first
- Provide specific line numbers for issues
- Include before/after code examples
- Explain *why* something is a problem
- Consider the language/framework context
- Don't just criticize—acknowledge good code too
- Suggest gradual improvements for large refactors
- Link to documentation for recommendations
- Consider project constraints (legacy code, deadlines)
- Balance perfectionism with pragmatism
- Focus on impactful changes
- Group similar issues together
- Make recommendations actionable

Overview

This skill performs comprehensive code reviews focused on security vulnerabilities, performance bottlenecks, maintainability issues, and refactoring opportunities. It produces prioritized, actionable findings with before/after code examples and clear remediation steps. Use it to get a practical audit of code quality, risks, and quick wins.

How this skill works

I inspect source code and related config for common and language-specific risks: injection vectors, auth flaws, unsafe dependencies, inefficient algorithms, memory and I/O issues, and maintainability smells. I prioritize issues by severity, show concrete code changes (before/after), and recommend tests, monitoring, or architecture adjustments. Reports highlight critical fixes first, followed by performance, quality, and nice-to-have improvements.

When to use it

When you ask for a code review or audit
Before shipping security-sensitive features (auth, payments, data export)
When tracking down performance regressions or latency spikes
Before major refactors or production rollouts
When onboarding a new codebase and validating quality

Best practices

Prioritize security issues first and fix high-severity bugs immediately
Provide small, testable code changes with before/after examples
Include line references and reproduce steps where possible
Favor parameterized queries, proper input validation, and secure secret management
Measure performance impact of fixes with benchmarks or profiling
Balance refactoring scope: prefer incremental improvements and quick wins

Example use cases

Review an authentication module for weak hashing, token handling, and CSRF issues
Audit a database access layer for SQL injection, N+1 queries, and missing indexes
Optimize a React/Vue component to remove unnecessary re-renders and reduce bundle size
Analyze an API endpoint for input validation, error handling, and rate limiting
Suggest refactors to reduce cyclomatic complexity and duplicate logic

FAQ

What languages and frameworks do you support?

I focus on common stacks and idioms; Python is primary, and I cover JavaScript frameworks, backend APIs, and SQL patterns with language-specific recommendations.

How are findings prioritized?

Findings are prioritized by impact and exploitability: Critical security issues first, then high performance or reliability risks, then maintainability and style items.

Will you provide code fixes I can apply directly?

Yes. Each actionable issue includes a before/after snippet and an explanation. For large changes I propose incremental steps and tests.