xreview — AI-powered code review plugin for Claude Code
npx claudepluginhub davidleitw/xreviewAI-powered code review using Codex — three-party consensus between Codex, your coding agent, and you
Official prompts.chat marketplace - AI prompts, skills, and tools for Claude Code
Behavioral guidelines to reduce common LLM coding mistakes, derived from Andrej Karpathy's observations
Claude Code plugins for the Slidev presentation framework
Share bugs, ideas, or general feedback.
Agent-native code review engine for Claude Code and Codex CLI, powered by Codex.
xreview delegates code review to Codex (a separate AI model) so your coding agent gets an independent second opinion. It orchestrates a three-party review loop: Codex reviews, your agent verifies, you decide.
Curious why this exists? I wrote a post about the motivation and how it works: Why I built xreview
When you ask your coding agent to review your code, the xreview skill takes over:
This isn't your agent reviewing its own work. It's a genuinely independent review from a different model, with your agent acting as a verification layer that filters out false positives before presenting to you.
Register the marketplace and install:
/plugin marketplace add davidleitw/xreview
/plugin install xreview@xreview-marketplace
Paste this to your Codex CLI session:
Fetch and follow instructions from https://raw.githubusercontent.com/davidleitw/xreview/master/.codex/INSTALL.md
Or install manually:
# Install binary
curl -fsSL https://raw.githubusercontent.com/davidleitw/xreview/master/scripts/install.sh | bash
# Install skill
mkdir -p ~/.agents/skills/xreview
curl -fsSL -o ~/.agents/skills/xreview/SKILL.md https://raw.githubusercontent.com/davidleitw/xreview/master/.agents/skills/xreview/SKILL.md
npm install -g @openai/codex)Just ask your coding agent to review:
Use xreview to check my code for bugs and security issues
Or be specific about which files:
Use xreview to review store/db.go and handler/exec.go for security vulnerabilities
The xreview skill triggers automatically. In Claude Code, you can also invoke it directly with /xreview.
| Category | Examples |
|---|---|
| Security | SQL injection, command injection, hardcoded secrets, missing auth |
| Logic | Nil pointer dereference, race conditions, off-by-one errors |
| Error Handling | Ignored errors, resource leaks, unclosed connections |
| Performance | N+1 queries, unnecessary allocations |
xreview supports language-aware review via --language. When the skill detects that review targets are written in a supported language, it automatically adds language-specific guidelines to the Codex prompt.
| Language | Key | Guidelines |
|---|---|---|
| C++ | cpp | ISO C++ Core Guidelines — memory safety, UB, concurrency, exception safety, ownership, class design |
| Go | go | Effective Go + Go Code Review Comments — goroutine safety, data race, resource leak, error handling, concurrency patterns |
Unsupported languages fall back to general-purpose review (same behavior as without the flag).
Each finding goes through a structured analysis:
F-001: SQL Injection (security/high)
store/db.go:34 — FindUser()
Trigger: user sends malicious string via /user?name=' OR '1'='1
Root cause: fmt.Sprintf concatenates user input directly into SQL query
Impact: attacker can read, modify, or delete any data in the database
-> Fix: changed to parameterized query db.Query("...WHERE name = ?", name)
After all findings are addressed, Codex verifies the fixes. If it disagrees with a dismissal or finds an incomplete fix, the loop continues.
xreview keeps itself up to date automatically. During preflight (the first step of every review), it checks GitHub Releases for a newer version. The check is cached locally for 24 hours to avoid slowing things down.