code review Agent Skills

code-review-excellence helps agents produce clearer, more constructive code reviews with better prioritization, reviewer tone, and actionable feedback for pull requests, mentoring, and team review standards.

code-review-and-quality is a structured pre-merge review skill that checks correctness, readability, architecture, security, and performance. Install it from the parent repo, read skills/code-review-and-quality/SKILL.md, and use it with diffs, task context, and test results for stronger review decisions.

flutter-dart-code-review is a library-agnostic Flutter and Dart code review checklist for architecture, widget quality, state management, performance, accessibility, security, and clean code. Use it as a structured flutter-dart-code-review guide for Code Review across BLoC, Riverpod, Provider, GetX, MobX, Signals, or custom patterns.

requesting-code-review is a lightweight workflow for dispatching the superpowers:code-reviewer subagent with a clean git diff, requirements, and change summary so reviews happen at the right time and produce actionable, severity-ranked feedback before merge.

receiving-code-review helps you verify PR feedback before editing code. Use it to restate review comments, check them against the codebase, ask for clarification on unclear items, and push back when suggestions do not fit.

code-reviewer is an AI code review skill that follows a strict review order: security, performance, correctness, and maintainability. It uses rule files for SQL injection, XSS, N+1 queries, error handling, naming, and type hints, making PR reviews more consistent than a generic review prompt.

differential-review is a security-focused code review skill for PRs, commits, and diffs. It uses baseline history, blast radius, test coverage, and structured reporting to help catch regressions in auth, crypto, external calls, and other high-risk paths. Use it for differential-review for Code Review when you need evidence-backed findings.

code-reviewer is a lightweight skill for Code Review that turns code or diffs into a structured report covering security, performance, best practices, severity, affected lines or sections, recommended fixes, and an overall quality score.

The code-reviewer skill guides structured PR and diff reviews for correctness, security, performance, testing, and maintainability, using repository references and a checklist script to make Code Review more consistent and actionable.

spec-to-code-compliance verifies that code matches written specifications exactly for blockchain audits and Compliance Review. Use the spec-to-code-compliance skill to compare whitepapers, design docs, and implementations, identify missing behavior, and flag undocumented or divergent logic.

naming-analyzer reviews variables, functions, classes, files, database fields, and API names, flagging vague or misleading identifiers and suggesting clearer, convention-aware alternatives for code review and refactoring.

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

ai-first-engineering is a concise operating model for teams where AI agents generate much of the implementation work. It helps set Agent Standards for planning, architecture, review, and testing, with guidance on install, usage, and when to apply the skill.

The coding-standards skill gives a baseline for naming, readability, immutability, consistency, and code review across projects, before applying framework-specific rules.

The gemini skill helps agents use Gemini CLI for code review, plan review, and large-context analysis. Learn when to install the skill, choose a model, avoid non-interactive approval hangs, and run safer Gemini workflows for multi-file reviews.

repo-scan is a cross-stack source audit skill that classifies files, detects embedded third-party libraries, and helps you judge what is core, duplicated, or dead weight. It is useful for repo-scan for Code Review, legacy migrations, and refactor planning. See repo-scan install and repo-scan usage guidance in the skill.

python-expert is a GitHub skill for Python code generation, review, debugging, and refactoring. It guides agents with a clear priority order—correctness, type safety, performance, then style—and points users to SKILL.md, AGENTS.md, and rule files for practical adoption.

python-anti-patterns is a Python code review checklist for spotting fragile patterns like scattered retries, timeout duplication, and hidden complexity before merge, during refactoring, or while debugging.

python-code-style helps with Python formatting, linting, naming, type hints, and docstrings. Use it to review pull requests, standardize team conventions, and set up ruff, mypy, or pyright guidance in pyproject.toml.

frontend-design-review is a GitHub skill for reviewing frontend UI work and creating distinctive, production-grade interfaces from scratch. It helps assess design system compliance, accessibility, visual quality, and whether a UI feels generic or intentionally designed. Use it for PR reviews, component reviews, and frontend-design-review for UI Design.

The python-patterns skill helps you write, review, and refactor Python code with idiomatic patterns, readable structure, type hints, and practical exception handling. Use it for new code, package/module design, or cleaner refactors that preserve behavior and follow Python conventions.

gh-address-comments helps address review and issue comments on the open GitHub PR for your current branch using gh CLI. It verifies GitHub auth first, fetches comments and review threads, numbers them, and helps you choose which items to fix. Useful for gh-address-comments guide and gh-address-comments for PR Review workflows.

multi-reviewer-patterns helps agents run parallel code reviews across security, performance, architecture, testing, and accessibility, then deduplicate findings, calibrate severity, and deliver one consolidated report. Includes install context, key files, and practical usage guidance.

golang-patterns is a practical guide for idiomatic Go patterns, code review, and refactoring. It helps Backend Development teams choose clear APIs, safe error handling, useful zero values, and maintainable package boundaries. Install golang-patterns when you need less guesswork and more consistent Go design decisions.

skill-comply is a compliance-testing skill that checks whether an agent follows a skill, rule, or agent definition in real runs. It generates specs from markdown, runs three prompt strictness levels, classifies tool-call timelines, and reports compliance rates with evidence. Useful for skill-comply for Compliance Review.

shellcheck-configuration helps you install ShellCheck, tune .shellcheckrc, and apply lint policy for CI and Code Review across bash, sh, dash, and ksh projects.

github is a GitHub skill for PRs, stacked PRs, code review, branching, and repo maintenance with gh CLI. Use it when you need a clear github guide for repeatable GitHub for Git Workflows tasks, including merge and rebase steps.

The java-coding-standards skill provides practical guidance for readable, maintainable Java 17+ in Spring Boot services, covering naming, immutability, Optional, streams, exceptions, generics, and package layout. Use it for coding, refactoring, and java-coding-standards for Code Review.

cpp-coding-standards is a C++ coding standards guide based on the C++ Core Guidelines. Use it for writing, reviewing, and refactoring modern C++ with a focus on safety, clarity, maintainability, RAII, type safety, and good design. Ideal for cpp-coding-standards for Code Review and practical team decisions.

The click-path-audit skill helps trace UI handlers through every state change to catch sequence bugs, shared-state collisions, and final-state mismatches after refactors or during code review.

dotnet-patterns is a practical .NET pattern guide for backend development. It helps you write and review idiomatic C# with stronger defaults for immutability, explicit dependencies, async/await, and maintainable ASP.NET Core services. Use it for code generation, refactoring, and review when you want repeatable patterns, not generic advice.

smart-explore is a structural code exploration skill that uses smart_search, smart_outline, and smart_unfold to map a codebase before reading full files. It helps with code navigation, targeted debugging, and smart-explore for Code Review when MCP tool support is available.

quality-nonconformance is a regulated-manufacturing skill for NCR intake, root cause analysis, CAPA, SPC interpretation, and final disposition. Use it for Compliance Review, supplier quality issues, and evidence-based decisions where traceability, risk, and audit-ready judgment matter.

subagent-driven-development is a skill for executing implementation plans with a fresh subagent per task, then reviewing each result in two passes: spec compliance first, code quality second. It includes prompt templates for the implementer, spec reviewer, and code quality reviewer.

code-maturity-assessor provides an evidence-based maturity review using Trail of Bits’ 9-category framework. It assesses arithmetic safety, auditing, access control, complexity, decentralization, documentation, MEV risk, low-level code, and testing, with actionable recommendations for security audit readiness.

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

apple-appstore-reviewer helps audit iOS apps for App Store rejection risks, privacy gaps, permissions, subscriptions, and reviewer-blocking flows before submission.

pytorch-patterns helps you write, review, and debug PyTorch code with device-agnostic patterns, reproducible experiments, and explicit tensor handling. Use the pytorch-patterns skill for cleaner training loops, model refactors, and practical PyTorch guidance.

Use security-ownership-map to analyze git history for security ownership risk, bus factor, and sensitive-code ownership. It maps people to files, surfaces orphaned or under-owned areas, and exports CSV/JSON for graph analysis. Best for security audit questions, CODEOWNERS reality checks, and ownership clusters grounded in commit history.

verification-loop is a Claude Code verification workflow for checking builds, types, lint, tests, security, and diffs after code changes. This verification-loop skill is useful before PRs and after refactors when you want a structured post-change guide instead of a generic prompt.

python-testing helps you design, write, and review Python tests with a pytest-first workflow. Use it for TDD, fixtures, mocking, parametrization, coverage checks, and maintaining a reliable test suite for Skill Testing and real projects.

dwarf-expert helps you inspect DWARF v3-v5 debug info, read DIE trees and attributes, verify data integrity, and review code that parses or emits DWARF. Use the dwarf-expert skill when you need accurate, evidence-based answers for compiled binaries, debug sections, or backend development tooling.

hipaa-compliance is the HIPAA-specific entrypoint for healthcare privacy and security work. Use the hipaa-compliance skill when a task is explicitly about PHI, covered entities, BAAs, breach posture, or whether a workflow creates HIPAA exposure. It is a thin overlay for fast compliance triage and guidance.

customs-trade-compliance is a trade compliance skill for customs documentation, HS/HTS classification, duty planning, restricted party screening, and Compliance Review. It helps users turn shipment facts into defensible import/export decisions with less guesswork than a generic prompt.

healthcare-phi-compliance helps review healthcare apps for PHI/PII risk across data models, APIs, logs, and access paths. Use it to check data classification, access control, encryption, audit trails, and common leak vectors for HIPAA, DISHA, GDPR, and related security audit needs.

python-design-patterns is a Python refactoring and design-review skill focused on KISS, SRP, separation of concerns, composition over inheritance, and the Rule of Three for cleaner, more testable code.

defi-amm-security is a focused security checklist for Solidity AMMs, liquidity pools, LP vaults, and swap flows. It helps auditors and engineers review reentrancy, CEI ordering, donation or inflation attacks, oracle assumptions, slippage, admin controls, and integer math with less guesswork than a generic prompt.

lesson-learned analyzes Git diffs and recent commits to extract software engineering lessons grounded in real code changes. It loads `se-principles.md` first, maps changes to principles like SRP, DRY, and KISS, and works well for retrospectives, PR learning notes, and Code Review follow-up.

guidelines-advisor is a smart contract development advisor based on Trail of Bits best practices. It analyzes a codebase to generate documentation, review architecture, check upgradeability patterns, assess implementation quality, identify pitfalls, review dependencies, and evaluate testing. Use the guidelines-advisor guide for clear, evidence-based recommendations.

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

code-simplification helps refactor working code for clarity without changing behavior. Use it when code is correct but harder to read, maintain, or extend, especially for nested logic, long functions, repeated rules, and cleanup after shipped features.

perl-security helps you review Perl code for safer input handling, taint mode, shell execution, DBI placeholders, and web security issues like XSS, SQLi, and CSRF. Use this perl-security skill for Security Audit work, remediation planning, and secure development when user-controlled data reaches sensitive sinks.

variant-analysis helps you find similar vulnerabilities and bugs across a codebase after one issue is confirmed. Use it to build CodeQL or Semgrep queries, follow a root-cause-first workflow, and run a focused variant-analysis guide for Security Audit work. It is best for post-discovery searches, not broad initial review.

audit-context-building builds deep, line-by-line code context before vulnerability hunting. The audit-context-building skill helps security auditors, architecture reviewers, and agents reduce false assumptions, track invariants, and prepare reliable review context before findings, fixes, or threat modeling.

next-best-practices is a practical Next.js skill for App Router work, covering file conventions, RSC boundaries, async APIs, data patterns, route handlers, bundling, and error handling.

vue-best-practices is a Vue 3 skill for code generation, review, and refactoring. It guides agents toward Composition API, <script setup lang="ts">, explicit data flow, SSR-aware choices, and core references for reactivity, SFCs, composables, Router, Pinia, and Vite-based apps.

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

vue-options-api-best-practices helps frontend teams apply Vue 3 Options API best practices, fix this-binding and lifecycle mistakes, and improve TypeScript typing for props, computed values, events, and inject usage without switching to Composition API.

react-useeffect is a practical React guide for deciding when useEffect is needed, spotting anti-patterns, and choosing better alternatives like render logic, event handlers, useMemo, key resets, or cleaned-up fetch Effects.