code-reviewSystematic code review patterns covering security, performance, maintainability, correctness, and testing — with severity levels, structured feedback guidance, review process, and anti-patterns to avoid. Use when reviewing PRs, establishing review standards, or improving review quality.
Install via ClawdBot CLI:
clawdbot install wpank/code-reviewThorough, structured approach to reviewing code. Work through each dimension systematically rather than scanning randomly.
npx clawhub@latest install code-review| Dimension | Focus | Priority |
|-----------|-------|----------|
| Security | Vulnerabilities, auth, data exposure | Critical |
| Performance | Speed, memory, scalability bottlenecks | High |
| Correctness | Logic errors, edge cases, data integrity | High |
| Maintainability | Readability, structure, future-proofing | Medium |
| Testing | Coverage, quality, reliability of tests | Medium |
| Accessibility | WCAG compliance, keyboard nav, screen readers | Medium |
| Documentation | Comments, API docs, changelog entries | Low |
Review every change for these vulnerabilities:
dangerouslySetInnerHTML or equivalent is justified and safeWork through the code in three passes. Do not try to catch everything in one read.
| Pass | Focus | Time | What to Look For |
|------|-------|------|------------------|
| First | High-level structure | 2-5 min | Architecture fit, file organization, API design, overall approach |
| Second | Line-by-line detail | Bulk | Logic errors, security issues, performance problems, edge cases |
| Third | Edge cases & hardening | 5 min | Failure modes, concurrency, boundary values, missing tests |
Classify every comment by severity so the author knows what blocks merge.
| Level | Label | Meaning | Blocks Merge? |
|-------|-------|---------|---------------|
| Critical | [CRITICAL] | Security vulnerability, data loss, or crash in production | Yes |
| Major | [MAJOR] | Bug, logic error, or significant performance regression | Yes |
| Minor | [MINOR] | Improvement that would reduce future maintenance cost | No |
| Nitpick | [NIT] | Style preference, naming suggestion, or trivial cleanup | No |
Always prefix your review comment with the severity label. This removes ambiguity about what matters.
Bad:
This is wrong. Fix it.
Good:
[MAJOR] This query interpolates user input directly into the SQL string (line 42), which is vulnerable to SQL injection. Consider using a parameterized query:> SELECT * FROM users WHERE id = $1 >
Bad:
Why didn't you add tests?
Good:
[MINOR]The newcalculateDiscount()function has a few branching paths — could we add tests for the zero-quantity and negative-price edge cases to prevent regressions?
Bad:
I would have done this differently.
Good:
[NIT]This works well. An alternative approach could be extracting the retry logic into a sharedwithRetry()wrapper — but that's optional and could be a follow-up.
Avoid these common traps that waste time and damage team trust:
| Anti-Pattern | Description |
|--------------|-------------|
| Rubber-Stamping | Approving without reading. Creates false confidence and lets bugs through. |
| Bikeshedding | Spending 30 minutes debating a variable name while ignoring a race condition. |
| Blocking on Style | Refusing to approve over formatting that a linter should enforce automatically. |
| Gatekeeping | Requiring your personal preferred approach when the submitted one is correct. |
| Drive-by Reviews | Leaving one vague comment and disappearing. Commit to following through. |
| Scope Creep Reviews | Requesting unrelated refactors that should be separate PRs. |
| Stale Reviews | Letting PRs sit for days. Review within 24 hours or hand off to someone else. |
| Emotional Language | "This is terrible" or "obviously wrong." Critique the code, not the person. |
Generated Feb 25, 2026
Reviewing a pull request for a new feature in a web application, focusing on security vulnerabilities like SQL injection and XSS, performance issues such as N+1 queries, and maintainability through clear naming and DRY principles. This ensures the code is robust and scalable before deployment.
Implementing a standardized code review process using this skill to train junior developers, covering all dimensions from security to documentation. This helps build a culture of quality and consistency as the team grows and handles increasing code complexity.
Conducting a security audit on legacy code to identify and mitigate vulnerabilities like CSRF and input validation issues, using the security checklist to ensure compliance with industry standards and prevent data breaches in a financial application.
Reviewing code changes in an e-commerce platform to enhance performance by checking for bundle size issues, lazy loading implementation, and database indexing. This aims to improve page load times and user experience during high-traffic events like sales.
Using the skill to systematically review contributions in an open-source project, focusing on correctness with edge case handling and maintainability through error propagation and dead code removal. This fosters community trust and long-term project sustainability.
Offering this code review skill as part of a SaaS platform for development teams, with tiered pricing based on team size and features. Revenue is generated through monthly or annual subscriptions, providing continuous updates and support.
Providing expert consulting services to organizations for implementing and customizing the code review process, including training and audits. Revenue comes from project-based fees or hourly rates, targeting enterprises needing specialized guidance.
Integrating the skill into a freemium development tool like an IDE or CI/CD platform, with basic features free and advanced analytics or automation behind a paywall. Revenue is driven by upselling premium features to larger teams or individual developers.
💬 Integration Tip
Integrate this skill into your CI/CD pipeline to automate code reviews on every pull request, ensuring consistent quality checks and reducing manual oversight. Use it alongside version control systems like Git for seamless workflow integration.
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.
Provides a 7-step debugging protocol plus language-specific commands to systematically identify, verify, and fix software bugs across multiple environments.
A comprehensive skill for using the Cursor CLI agent for various software engineering tasks (updated for 2026 features, includes tmux automation guide).
Write, run, and manage unit, integration, and E2E tests across TypeScript, Python, and Swift using recommended frameworks.
Control and operate Opencode via slash commands. Use this skill to manage sessions, select models, switch agents (plan/build), and coordinate coding through Opencode.
Coding style memory that adapts to your preferences, conventions, and patterns for consistent coding.