{"id":"7ea39e31-0bc9-4185-8af0-1af2a11df4ec","shortId":"jSN9B7","kind":"skill","title":"code-review","tagline":"This skill should be used when the user asks to \"review code\", \"review PR\", \"code review\", \"audit code\", \"check for bugs\", \"security review\", \"review my changes\", \"find issues in this code\", \"review the diff\", or asks for pull request review or code audit.","description":"# Code Review\n\n## Objective\n\nFind high-impact defects in changed code with evidence. Prioritize security, correctness, and regressions over style nits.\n\n## Arguments\n\n- `--fix`: After reporting findings, apply all suggested fixes automatically in severity order (`CRITICAL -> HIGH -> MEDIUM -> LOW`), then rerun targeted checks and report exactly what changed.\n- `--skip-profile <name>`: Skip an optional domain profile by stem or filename. Repeatable. Example: `--skip-profile naming`.\n- Default: Report findings and wait for confirmation before editing.\n\n## Scope Resolution\n\n1. Verify repository context: `git rev-parse --git-dir`. If this fails, stop and tell the user to run from a git repository.\n2. If user provides file paths/patterns, a commit/range, or a `Resolved scope` fenced block with one repo-relative path per line, scope is exactly those targets.\n3. Otherwise, scope is **only** session-modified files. Do not include other uncommitted changes.\n4. If there are no session-modified files, fall back to all uncommitted tracked + untracked files:\n   - tracked: `git diff --name-only --diff-filter=ACMR`\n   - untracked: `git ls-files --others --exclude-standard`\n   - combine both lists and de-duplicate.\n5. Exclude generated/low-signal files unless requested: lockfiles, minified bundles, build outputs, vendored code.\n6. If scope still resolves to zero files, report and stop.\n\n## Workflow\n\n1. Resolve scope and read diffs plus minimal surrounding context.\n2. Classify files by domain/risk.\n3. Apply the core checks below plus only the domain profiles that match the current diff. Honor any `--skip-profile` exclusions.\n4. Generate findings with: location, impact, evidence, confidence, and concrete fix.\n5. Assign severity with the model below.\n6. Default behavior: report and wait.\n7. With `--fix`: apply all suggested fixes in severity order, then run targeted verification.\n8. Report using the output schema below.\n\n## Core Review Checks\n\nApply on every run.\n\n### Checks\n\n- `CORE-001` Behavior regression (`HIGH`): changed branch/state transition alters external behavior.\n- `CORE-002` Error-path safety (`HIGH`): failures can cascade, crash, or return unsafe defaults.\n- `CORE-003` Boundary handling (`HIGH`): null/empty/overflow/edge inputs are not handled.\n- `CORE-004` Resource hygiene (`MEDIUM`): leaked timers/listeners/handles/connections.\n- `CORE-005` Complexity hotspot (`MEDIUM`): change introduces avoidable coupling or hidden side effects.\n- `CORE-006` Test gap (`MEDIUM`): changed behavior has no targeted test coverage.\n\n### Evidence Expectations\n\n- Show the concrete input/state that triggers failure.\n- Point to changed lines or nearby guards that caused the risk.\n\n## Profile Dispatch\n\n- `references/profiles/security.md`: auth, external input, secrets, crypto, public network surfaces, unsafe parsing.\n- `references/profiles/configuration.md`: env/config, timeouts, retries, pools, limits, resource tuning, rollout controls.\n- `references/profiles/typescript-react.md`: TypeScript/JavaScript/React/Node files.\n- `references/profiles/python.md`: Python services, scripts, async workloads.\n- `references/profiles/shell.md`: shell scripts, CI command blocks, deployment scripts.\n- `references/profiles/smart-contracts.md`: Solidity/Solana/on-chain protocol code.\n- `references/profiles/data-formats.md`: CSV/JSON/YAML/binary ingestion/export/parsing.\n- `references/profiles/naming.md`: naming/intent clarity after correctness and security issues are handled. This profile is optional and can be skipped explicitly.\n\nLoad only profiles relevant to touched files. Prefer no more than three domain profiles per pass unless the user requests a deep audit.\n\n## Severity Model\n\n- **CRITICAL**: exploitable security flaw, data loss path, or outage risk on critical paths.\n- **HIGH**: logic defect or performance failure that can break core behavior.\n- **MEDIUM**: maintainability/reliability issue likely to cause near-term defects.\n- **LOW**: localized clarity/style/documentation improvements.\n\n## Output Schema\n\nUse this structure and order for every review result.\n\n### 1. Scope\n\nList reviewed files and any excluded patterns.\n\n### 2. Findings (ordered)\n\nOrder by severity: `CRITICAL -> HIGH -> MEDIUM -> LOW`.\n\nFor each finding, use this shape:\n\n- `[SEVERITY] Title — path/to/file.ext:line`\n- Impact: concrete user/system impact.\n- Evidence: exact code behavior or diff evidence.\n- Fix: smallest practical remediation.\n- Confidence: `high | medium | low`.\n\n### 3. Suggested Fixes\n\nInclude when not using `--fix`.\n\n### 4. Applied Fixes\n\nInclude only when `--fix` is used. List each change with file references.\n\n### 5. Verification\n\nList commands run and outcomes. Explicitly list skipped checks.\n\n### 6. Residual Risks / Open Questions\n\nCapture unresolved assumptions and follow-ups.\n\n### Rules\n\n- Do not fabricate locations.\n- Merge duplicate findings.\n- Keep style-only issues at LOW unless they create operational risk.\n\n## Evidence Rules\n\n- Never fabricate line numbers.\n- Tie each finding to concrete code evidence.\n- Explain blast radius and failure mode succinctly.\n- Prefer targeted fixes over broad rewrites.\n\n## Verification\n\nRun the narrowest checks that validate touched behavior:\n\n- formatter/lint on touched files,\n- targeted tests for impacted modules,\n- typecheck when relevant.\n\nIf checks cannot run, state exactly what was skipped and why.\n\n## Stop Conditions\n\nStop and ask for direction when:\n\n- fixes require API/contract redesign,\n- behavior intent is too ambiguous to classify severity,\n- required validation tooling is unavailable and risk is high.","tags":["code","review","agent","skills","paulrberg","agent-skills","ai-agents"],"capabilities":["skill","source-paulrberg","skill-code-review","topic-agent-skills","topic-ai-agents"],"categories":["agent-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/PaulRBerg/agent-skills/code-review","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add PaulRBerg/agent-skills","source_repo":"https://github.com/PaulRBerg/agent-skills","install_from":"skills.sh"}},"qualityScore":"0.475","qualityRationale":"deterministic score 0.47 from registry signals: · indexed on github topic:agent-skills · 50 github stars · SKILL.md body (5,604 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:56:17.712Z","embedding":null,"createdAt":"2026-04-18T22:17:38.430Z","updatedAt":"2026-04-22T00:56:17.712Z","lastSeenAt":"2026-04-22T00:56:17.712Z","tsv":"'-001':349 '-002':360 '-003':375 '-004':385 '-005':392 '-006':405 '1':123,258,576 '2':148,268,585 '3':175,273,624 '4':190,295,632 '5':233,306,647 '6':246,313,658 '7':319 '8':333 'acmr':216 'alter':356 'ambigu':764 'api/contract':758 'appli':73,274,322,343,633 'argument':68 'ask':12,39,752 'assign':307 'assumpt':665 'async':466 'audit':20,46,524 'auth':439 'automat':77 'avoid':398 'back':200 'behavior':315,350,358,410,550,612,724,760 'blast':704 'block':161,473 'boundari':376 'branch/state':354 'break':548 'broad':714 'bug':24 'build':242 'bundl':241 'cannot':739 'captur':663 'cascad':368 'caus':433,556 'chang':29,56,93,189,353,396,409,427,643 'check':22,88,277,342,347,657,720,738 'ci':471 'clariti':485 'clarity/style/documentation':563 'classifi':269,766 'code':2,15,18,21,34,45,47,57,245,479,611,701 'code-review':1 'combin':226 'command':472,650 'commit/range':155 'complex':393 'concret':304,420,606,700 'condit':749 'confid':302,620 'confirm':118 'context':126,267 'control':458 'core':276,340,348,359,374,384,391,404,549 'correct':62,487 'coupl':399 'coverag':415 'crash':369 'creat':687 'critic':81,527,538,591 'crypto':443 'csv/json/yaml/binary':481 'current':287 'data':531 'de':231 'de-dupl':230 'deep':523 'default':112,314,373 'defect':54,542,560 'deploy':474 'diff':37,209,214,263,288,614 'diff-filt':213 'dir':133 'direct':754 'dispatch':437 'domain':100,282,514 'domain/risk':272 'duplic':232,676 'edit':120 'effect':403 'env/config':450 'error':362 'error-path':361 'everi':345,573 'evid':59,301,416,609,615,690,702 'exact':91,172,610,742 'exampl':107 'exclud':224,234,583 'exclude-standard':223 'exclus':294 'expect':417 'explain':703 'explicit':501,654 'exploit':528 'extern':357,440 'fabric':673,693 'fail':136 'failur':366,424,545,707 'fall':199 'fenc':160 'file':152,183,198,206,221,236,253,270,461,508,580,645,728 'filenam':105 'filter':215 'find':30,50,72,114,297,586,597,677,698 'fix':69,76,305,321,325,616,626,631,634,638,712,756 'flaw':530 'follow':668 'follow-up':667 'formatter/lint':725 'gap':407 'generat':296 'generated/low-signal':235 'git':127,132,146,208,218 'git-dir':131 'guard':431 'handl':377,383,492 'hidden':401 'high':52,82,352,365,378,540,592,621,776 'high-impact':51 'honor':289 'hotspot':394 'hygien':387 'impact':53,300,605,608,732 'improv':564 'includ':186,627,635 'ingestion/export/parsing':482 'input':380,441 'input/state':421 'intent':761 'introduc':397 'issu':31,490,553,682 'keep':678 'leak':389 'like':554 'limit':454 'line':169,428,604,694 'list':228,578,641,649,655 'load':502 'local':562 'locat':299,674 'lockfil':239 'logic':541 'loss':532 'low':84,561,594,623,684 'ls':220 'ls-file':219 'maintainability/reliability':552 'match':285 'medium':83,388,395,408,551,593,622 'merg':675 'minifi':240 'minim':265 'mode':708 'model':311,526 'modifi':182,197 'modul':733 'name':111,211 'name-on':210 'naming/intent':484 'narrowest':719 'near':558 'near-term':557 'nearbi':430 'network':445 'never':692 'nit':67 'null/empty/overflow/edge':379 'number':695 'object':49 'one':163 'open':661 'oper':688 'option':99,496 'order':80,328,571,587,588 'other':222 'otherwis':176 'outag':535 'outcom':653 'output':243,337,565 'pars':130,448 'pass':517 'path':167,363,533,539 'path/to/file.ext':603 'paths/patterns':153 'pattern':584 'per':168,516 'perform':544 'plus':264,279 'point':425 'pool':453 'pr':17 'practic':618 'prefer':509,710 'priorit':60 'profil':96,101,110,283,293,436,494,504,515 'protocol':478 'provid':151 'public':444 'pull':41 'python':463 'question':662 'radius':705 'read':262 'redesign':759 'refer':646 'references/profiles/configuration.md':449 'references/profiles/data-formats.md':480 'references/profiles/naming.md':483 'references/profiles/python.md':462 'references/profiles/security.md':438 'references/profiles/shell.md':468 'references/profiles/smart-contracts.md':476 'references/profiles/typescript-react.md':459 'regress':64,351 'relat':166 'relev':505,736 'remedi':619 'repeat':106 'repo':165 'repo-rel':164 'report':71,90,113,254,316,334 'repositori':125,147 'request':42,238,521 'requir':757,768 'rerun':86 'residu':659 'resolut':122 'resolv':158,250,259 'resourc':386,455 'result':575 'retri':452 'return':371 'rev':129 'rev-pars':128 'review':3,14,16,19,26,27,35,43,48,341,574,579 'rewrit':715 'risk':435,536,660,689,774 'rollout':457 'rule':670,691 'run':143,330,346,651,717,740 'safeti':364 'schema':338,566 'scope':121,159,170,177,248,260,577 'script':465,470,475 'secret':442 'secur':25,61,489,529 'servic':464 'session':181,196 'session-modifi':180,195 'sever':79,308,327,525,590,601,767 'shape':600 'shell':469 'show':418 'side':402 'skill':5 'skill-code-review' 'skip':95,97,109,292,500,656,745 'skip-profil':94,108,291 'smallest':617 'solidity/solana/on-chain':477 'source-paulrberg' 'standard':225 'state':741 'stem':103 'still':249 'stop':137,256,748,750 'structur':569 'style':66,680 'style-on':679 'succinct':709 'suggest':75,324,625 'surfac':446 'surround':266 'target':87,174,331,413,711,729 'tell':139 'term':559 'test':406,414,730 'three':513 'tie':696 'timeout':451 'timers/listeners/handles/connections':390 'titl':602 'tool':770 'topic-agent-skills' 'topic-ai-agents' 'touch':507,723,727 'track':204,207 'transit':355 'trigger':423 'tune':456 'typecheck':734 'typescript/javascript/react/node':460 'unavail':772 'uncommit':188,203 'unless':237,518,685 'unresolv':664 'unsaf':372,447 'untrack':205,217 'up':669 'use':8,335,567,598,630,640 'user':11,141,150,520 'user/system':607 'valid':722,769 'vendor':244 'verif':332,648,716 'verifi':124 'wait':116,318 'workflow':257 'workload':467 'zero':252","prices":[{"id":"22ecda50-bb67-4265-8ba1-13def8530d41","listingId":"7ea39e31-0bc9-4185-8af0-1af2a11df4ec","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"PaulRBerg","category":"agent-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T22:17:38.430Z"}],"sources":[{"listingId":"7ea39e31-0bc9-4185-8af0-1af2a11df4ec","source":"github","sourceId":"PaulRBerg/agent-skills/code-review","sourceUrl":"https://github.com/PaulRBerg/agent-skills/tree/main/skills/code-review","isPrimary":false,"firstSeenAt":"2026-04-18T22:17:38.430Z","lastSeenAt":"2026-04-22T00:56:17.712Z"}],"details":{"listingId":"7ea39e31-0bc9-4185-8af0-1af2a11df4ec","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"PaulRBerg","slug":"code-review","github":{"repo":"PaulRBerg/agent-skills","stars":50,"topics":["agent-skills","ai-agents"],"license":"mit","html_url":"https://github.com/PaulRBerg/agent-skills","pushed_at":"2026-04-20T16:22:56Z","description":"PRB's collection of agent skills","skill_md_sha":"9fec5d5b6175b8e826559c78824111194b81c5f4","skill_md_path":"skills/code-review/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/PaulRBerg/agent-skills/tree/main/skills/code-review"},"layout":"multi","source":"github","category":"agent-skills","frontmatter":{"name":"code-review","description":"This skill should be used when the user asks to \"review code\", \"review PR\", \"code review\", \"audit code\", \"check for bugs\", \"security review\", \"review my changes\", \"find issues in this code\", \"review the diff\", or asks for pull request review or code audit."},"skills_sh_url":"https://skills.sh/PaulRBerg/agent-skills/code-review"},"updatedAt":"2026-04-22T00:56:17.712Z"}}