Automated code review analysis for quality, security, performance, and best practices.
✅ USE this skill when:
❌ DON'T use this skill when:
For every code review, the agent checks in this order:
| Check | What to look for |
|---|---|
| ------- | ----------------- |
| SQL Injection | String concatenation in queries, unescaped user input |
| XSS | Unsanitized output in HTML/templates, dangerouslySetInnerHTML |
| Command Injection | os.system(), exec(), subprocess(shell=True) with user input |
| Path Traversal | ../../ in file paths, unsanitized filenames |
| Sensitive Data | Hardcoded API keys, passwords, tokens, secrets |
| Unvalidated Input | Missing type checks, no boundary validation on arrays/buffers |
| Check | What to look for |
|---|---|
| ------- | ----------------- |
| Null/Undefined | Missing null checks, no Optional/Maybe wrapping |
| Error Handling | Bare except:, swallowed exceptions, no error context |
| Race Conditions | Shared state without locks, async without mutexes |
| Resource Leaks | Unclosed files, connections, handles |
| Type Safety | Implicit casts, any types, missing generics |
| Dead Code | Unused variables, imports, unreachable branches |
| Check | What to look for |
|---|---|
| ------- | ----------------- |
| Naming | Vague names (data, tmp, foo), inconsistent casing |
| Comments | Stale/no comments, commented-out code |
| Duplication | Repeated logic that should be a function |
| Logging | Missing context in log messages, wrong log level |
| Tests | Missing edge cases, no test for the change |
The agent accepts code in these forms:
\\`python ..."git diffFor each code segment:
Present findings in order of severity with:
## 🔴 Critical
- [Line 42] SQL Injection: f-string used in SQL query. Use parameterized queries.
## 🟡 Important
- [Line 15] Missing null check: `user.getName()` may throw if user is None
## 🟢 Suggestion
- [Line 88] Duplicate logic with lines 12-20 — extract to helper function
The agent can:
.format() or %with for resource managementmap/filterconst over let, never var=== not ==any in TypeScriptOptional over null returnsgo fmt conventionsdefer for cleanupset -euo pipefail in scripts[[ ]] over [ ]ls output> User: "Review this Python function" + code block
> Agent: Runs checklist → finds SQL injection. Reports 🔴 Critical with fix
>
> User: "Check my current git diff"
> Agent: Runs git diff, reviews changes, lists findings
>
> User: "Is this TypeScript safe?" + code block
> Agent: Checks types, null safety, anti-patterns → 🟡 reports any misuse
共 1 个版本