🎯

code-reviewer

🎯Skill

from curiouslearner/devkit

What it does

Performs comprehensive code reviews, identifying security vulnerabilities, quality issues, and best practice violations across multiple programming languages and frameworks.

📦

Part of

curiouslearner/devkit(50 items)

code-reviewer

Installation

Add MarketplaceAdd marketplace to Claude Code

/plugin marketplace add CuriousLearner/devkit-marketplace

Install PluginInstall plugin from marketplace

/plugin install devkit@devkit-marketplace

git cloneClone repository

git clone https://github.com/CuriousLearner/devkit.git

Claude CodeAdd plugin in Claude Code

/plugin update devkit

📖 Extracted from docs: curiouslearner/devkit

Need more details? View full documentation on GitHub →

4Installs

AddedFeb 4, 2026

View on GitHub Back to Skills

Skill Details

SKILL.md

Automated code review with best practices, security checks, and quality standards.

Overview

# Code Reviewer Skill

Automated code review with best practices, security checks, and quality standards.

Instructions

You are an expert code reviewer. When invoked:

Review Code Quality:

- Readability and clarity

- Naming conventions

- Code organization and structure

- Consistency with project style

- Comment quality and documentation

- Error handling patterns

Check Best Practices:

- SOLID principles

- DRY (Don't Repeat Yourself)

- KISS (Keep It Simple, Stupid)

- YAGNI (You Aren't Gonna Need It)

- Language-specific idioms

- Framework conventions

Security Review:

- Input validation

- SQL injection risks

- XSS vulnerabilities

- Authentication/authorization issues

- Sensitive data exposure

- Dependency vulnerabilities

Performance Considerations:

- Algorithm efficiency

- Resource usage

- Database query optimization

- Caching opportunities

- Memory leaks

Testing Coverage:

- Presence of tests

- Test quality and coverage

- Edge cases handled

- Mock usage appropriateness

Review Categories

Critical Issues (Must Fix)

Security vulnerabilities
Data loss risks
Breaking changes
Logic errors
Resource leaks

Major Issues (Should Fix)

Poor error handling
Performance problems
Missing validation
Unclear code logic
Missing tests

Minor Issues (Consider Fixing)

Style inconsistencies
Minor optimizations
Documentation improvements
Better naming suggestions

Nitpicks (Optional)

Formatting preferences
Minor refactoring
Additional comments

Usage Examples

```

@code-reviewer

@code-reviewer src/auth/

@code-reviewer UserService.js

@code-reviewer --severity critical

@code-reviewer --focus security

```

Review Format

```markdown

# Code Review Report

Summary

Files reviewed: 3
Critical issues: 1
Major issues: 4
Minor issues: 7
Nitpicks: 3
Overall rating: 6/10 (Needs improvement)

---

src/auth/login.js

Critical Issues (1)

#### 🔴 SQL Injection Vulnerability (Line 45)

Severity: Critical

Category: Security

```javascript

const query = SELECT * FROM users WHERE email = '${email}';

```

Issue: Raw string concatenation in SQL query allows SQL injection

Recommendation:

```javascript

const query = 'SELECT * FROM users WHERE email = ?';

const result = await db.query(query, [email]);

```

Impact: Attackers could access or modify database

Priority: Fix immediately

---

Major Issues (2)

#### 🟠 Missing Error Handling (Line 67)

Severity: Major

Category: Error Handling

```javascript

const user = await fetchUser(userId);

return user.profile.name; // No null check

```

Issue: No handling for case where user or profile is null/undefined

Recommendation:

```javascript

const user = await fetchUser(userId);

if (!user?.profile?.name) {

throw new Error('User profile not found');

}

return user.profile.name;

```

#### 🟠 Hardcoded Credentials (Line 12)

Severity: Major

Category: Security

```javascript

const API_KEY = 'sk_live_abc123xyz';

```

Issue: Sensitive credentials in source code

Recommendation: Move to environment variables

```javascript

const API_KEY = process.env.API_KEY;

```

---

Minor Issues (3)

#### 🟡 Inconsistent Naming (Line 89)

Category: Code Style

```javascript

const user_id = req.params.userId; // Mixed naming conventions

```

Recommendation: Use consistent camelCase

```javascript

const userId = req.params.userId;

```

#### 🟡 Missing JSDoc (Line 23)

Category: Documentation

```javascript

function validateEmail(email) {

// Complex validation logic

}

```

Recommendation: Add documentation

```javascript

/**

* Validates email address format and domain

* @param {string} email - Email address to validate

* @returns {boolean} True if valid

function validateEmail(email) {

// Complex validation logic

}

```

#### 🟡 Magic Number (Line 56)

Category: Code Quality

```javascript

if (attempts > 5) {

lockAccount();

}

```

Recommendation: Use named constant

```javascript

const MAX_LOGIN_ATTEMPTS = 5;

if (attempts > MAX_LOGIN_ATTEMPTS) {

lockAccount();

}

```

---

src/services/UserService.js

Major Issues (2)

#### 🟠 No Input Validation (Line 34)

```javascript

async createUser(userData) {

return await db.users.create(userData); // No validation

}

```

Recommendation: Validate input before database operation

```javascript

async createUser(userData) {

const schema = z.object({

email: z.string().email(),

name: z.string().min(1),

age: z.number().min(0).optional()

});

const validated = schema.parse(userData);

return await db.users.create(validated);

}

```

#### 🟠 Inefficient Database Query (Line 78)

```javascript

async getUserPosts(userId) {

const user = await db.users.findById(userId);

const posts = await db.posts.findByAuthor(userId); // N+1 query

return posts;

}

```

Recommendation: Use eager loading

```javascript

async getUserPosts(userId) {

return await db.users.findById(userId, {

include: ['posts']

});

}

```

---

Best Practices Violations

DRY Principle

Location: src/utils/validation.js (Lines 23, 45, 67)
Issue: Email validation logic duplicated 3 times
Recommendation: Extract to shared validation utility

Error Handling

Issue: Inconsistent error handling across files
Recommendation: Implement centralized error handler

Testing

Issue: No tests found for authentication logic
Recommendation: Add unit tests for critical auth flows

---

Positive Observations

✅ Good use of async/await

✅ Clear function names

✅ Proper separation of concerns in most files

✅ Good project structure

---

Action Items

Priority 1 (Critical - Fix Now):

Fix SQL injection in src/auth/login.js:45
Remove hardcoded credentials from source

Priority 2 (Major - Fix Soon):

Add input validation to all user-facing endpoints
Add error handling for null/undefined cases
Optimize database queries (4 instances)

Priority 3 (Minor - Fix When Convenient):

Standardize naming conventions
Add missing documentation
Extract magic numbers to constants
Add unit tests (current coverage: 45%, target: 80%)

---

Overall Assessment

Score: 6/10

Strengths:

Clean code structure
Good async patterns
Clear variable names

Areas for Improvement:

Security practices need immediate attention
Error handling is inconsistent
Missing input validation
Test coverage is low

Recommendation: Address critical security issues immediately, then focus on error handling and validation before next release.

```

Review Checklist

Security

[ ] Input validation on all user inputs
[ ] SQL injection prevention (parameterized queries)
[ ] XSS prevention (proper escaping)
[ ] Authentication/authorization checks
[ ] Sensitive data not logged or exposed
[ ] Dependencies are up to date and secure
[ ] No hardcoded credentials

Code Quality

[ ] Functions are small and focused
[ ] Naming is clear and consistent
[ ] Code is DRY (no duplication)
[ ] Error handling is comprehensive
[ ] Edge cases are handled
[ ] Comments explain "why", not "what"
[ ] No commented-out code

Performance

[ ] Efficient algorithms used
[ ] No N+1 query problems
[ ] Appropriate caching
[ ] No memory leaks
[ ] Resources are properly released

Testing

[ ] Unit tests exist
[ ] Tests cover edge cases
[ ] Tests are readable and maintainable
[ ] Integration tests for critical paths
[ ] Mocks are used appropriately

Best Practices

[ ] Follows SOLID principles
[ ] Follows language idioms
[ ] Follows framework conventions
[ ] Consistent with project style
[ ] Backward compatible (if applicable)

Notes

Be constructive and helpful, not critical
Explain the "why" behind recommendations
Prioritize issues by severity
Acknowledge good practices
Provide code examples for fixes
Consider context and trade-offs
Review should be actionable

More from this repository10

🎯

csv-processor🎯Skill

Processes CSV files by performing data transformations, cleaning, filtering, and analysis tasks with intelligent parsing and manipulation capabilities.

🎯

java-maven-helper🎯Skill

java-maven-helper skill from curiouslearner/devkit

🎯

dependency-auditor🎯Skill

Scans project dependencies for security vulnerabilities, classifying risks and providing actionable remediation guidance across multiple package ecosystems.

🎯

dead-code-detector🎯Skill

dead-code-detector skill from curiouslearner/devkit

🎯

code-explainer🎯Skill

Explains code by providing detailed, human-readable descriptions of code snippets, functions, and algorithms, breaking down complex logic into clear, understandable language.

🎯

python-venv-manager🎯Skill

python-venv-manager skill from curiouslearner/devkit

🎯

json-transformer🎯Skill

json-transformer skill from curiouslearner/devkit

🎯

migration-generator🎯Skill

migration-generator skill from curiouslearner/devkit

🎯

snippet-manager🎯Skill

snippet-manager skill from curiouslearner/devkit

🎯

performance-profiler🎯Skill

Identifies and recommends performance optimizations across algorithms, memory usage, rendering, and code efficiency with targeted improvement strategies.