--- name: code-review description: Run a comprehensive code review --- # Code Review Skill Conduct a thorough code review for quality, security, and maintainability with severity-rated feedback. ## When to Use This skill activates when: - User requests "review this code", "code review" - Before merging a pull request - After implementing a major feature - User wants quality assessment ## What It Does Delegates to the `code-reviewer` agent (Opus model) for deep analysis: 1. **Identify Changes** - Run `git diff` to find changed files - Determine scope of review (specific files or entire PR) 2. **Review Categories** - **Security** - Hardcoded secrets, injection risks, XSS, CSRF - **Code Quality** - Function size, complexity, nesting depth - **Performance** - Algorithm efficiency, N+1 queries, caching - **Best Practices** - Naming, documentation, error handling - **Maintainability** - Duplication, coupling, testability 3. **Severity Rating** - **CRITICAL** - Security vulnerability (must fix before merge) - **HIGH** - Bug or major code smell (should fix before merge) - **MEDIUM** - Minor issue (fix when possible) - **LOW** - Style/suggestion (consider fixing) 4. **Specific Recommendations** - File:line locations for each issue - Concrete fix suggestions - Code examples where applicable ## Agent Delegation ``` spawn_sub_agent( subagent_type="oh-my-codex:code-reviewer", model="opus", prompt="CODE REVIEW TASK Review code changes for quality, security, and maintainability. Scope: [git diff or specific files] Review Checklist: - Security vulnerabilities (OWASP Top 10) - Code quality (complexity, duplication) - Performance issues (N+1, inefficient algorithms) - Best practices (naming, documentation, error handling) - Maintainability (coupling, testability) Output: Code review report with: - Files reviewed count - Issues by severity (CRITICAL, HIGH, MEDIUM, LOW) - Specific file:line locations - Fix recommendations - Approval recommendation (APPROVE / REQUEST CHANGES / COMMENT)" ) ``` ## External Model Consultation (Preferred) The code-reviewer agent SHOULD consult Codex for cross-validation. ### Protocol 1. **Form your OWN review FIRST** - Complete the review independently 2. **Consult for validation** - Cross-check findings with Codex 3. **Critically evaluate** - Never blindly adopt external findings 4. **Graceful fallback** - Never block if tools unavailable ### When to Consult - Security-sensitive code changes - Complex architectural patterns - Unfamiliar codebases or languages - High-stakes production code ### When to Skip - Simple refactoring - Well-understood patterns - Time-critical reviews - Small, isolated changes ### Tool Usage Before first MCP tool use, call `ToolSearch("mcp")` to discover deferred MCP tools. Use `mcp__x__ask_codex` with `agent_role: "code-reviewer"`. If ToolSearch finds no MCP tools, fall back to the `code-reviewer` agent. **Note:** Codex calls can take up to 1 hour. Consider the review timeline before consulting. ## Output Format ``` CODE REVIEW REPORT ================== Files Reviewed: 8 Total Issues: 15 CRITICAL (0) ----------- (none) HIGH (3) -------- 1. src/api/auth.ts:42 Issue: User input not sanitized before SQL query Risk: SQL injection vulnerability Fix: Use parameterized queries or ORM 2. src/components/UserProfile.tsx:89 Issue: Password displayed in plain text in logs Risk: Credential exposure Fix: Remove password from log statements 3. src/utils/validation.ts:15 Issue: Email regex allows invalid formats Risk: Accepts malformed emails Fix: Use proven email validation library MEDIUM (7) ---------- ... LOW (5) ------- ... RECOMMENDATION: REQUEST CHANGES Critical security issues must be addressed before merge. ``` ## Review Checklist The code-reviewer agent checks: ### Security - [ ] No hardcoded secrets (API keys, passwords, tokens) - [ ] All user inputs sanitized - [ ] SQL/NoSQL injection prevention - [ ] XSS prevention (escaped outputs) - [ ] CSRF protection on state-changing operations - [ ] Authentication/authorization properly enforced ### Code Quality - [ ] Functions < 50 lines (guideline) - [ ] Cyclomatic complexity < 10 - [ ] No deeply nested code (> 4 levels) - [ ] No duplicate logic (DRY principle) - [ ] Clear, descriptive naming ### Performance - [ ] No N+1 query patterns - [ ] Appropriate caching where applicable - [ ] Efficient algorithms (avoid O(n²) when O(n) possible) - [ ] No unnecessary re-renders (React/Vue) ### Best Practices - [ ] Error handling present and appropriate - [ ] Logging at appropriate levels - [ ] Documentation for public APIs - [ ] Tests for critical paths - [ ] No commented-out code ## Approval Criteria **APPROVE** - No CRITICAL or HIGH issues, minor improvements only **REQUEST CHANGES** - CRITICAL or HIGH issues present **COMMENT** - Only LOW/MEDIUM issues, no blocking concerns ## Use with Other Skills **With Team:** ``` /team "review recent auth changes and report findings" ``` Includes coordinated review execution across specialized agents. **With Ralph:** ``` /ralph code-review then fix all issues ``` Review code, get feedback, fix until approved. **With Ultrawork:** ``` /ultrawork review all files in src/ ``` Parallel code review across multiple files. ## Best Practices - **Review early** - Catch issues before they compound - **Review often** - Small, frequent reviews better than huge ones - **Address CRITICAL/HIGH first** - Fix security and bugs immediately - **Consider context** - Some "issues" may be intentional trade-offs - **Learn from reviews** - Use feedback to improve coding practices