Use when asked to review MERN stack code - comprehensive code reviewer that checks project health, security, maintainability, performance, testing, and architecture. Combines general code quality analysis with MERN-specific expertise.
/plugin marketplace add 9tykeshav/mern-ninja-cc/plugin install mern-ninja@mern-ninja-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
reference/express.mdreference/fullstack.mdreference/mongodb.mdreference/nodejs.mdreference/react.mdreference/security.mdComprehensive code review: General intelligence + MERN specialization.
Philosophy: Check project health FIRST, then dive into code. A 6,000-line file is a problem regardless of what's in it.
Before reading any code, assess project health:
tsc --noEmit or check for compilation errorspackage.json scripts, look for test directoriesfind src -name "*.ts" -o -name "*.tsx" | xargs wc -l | sort -n | tail -20npm audit issues, unusual deps (Angular in React?)Stop here if: Build is broken, docs say "DO NOT DEPLOY", or critical blockers found. Report immediately.
| Priority | Focus | Severity |
|---|---|---|
| 0. Blockers | Build failures, "DO NOT DEPLOY", broken deploys | STOP |
| 1. Security | Injection, auth, secrets, XSS | Critical |
| 2. Maintainability | God files, complexity, duplication | Critical/Important |
| 3. Performance | N+1, missing indexes, re-renders | Important |
| 4. Testing | No tests, low coverage, flaky tests | Important |
| 5. Best Practices | Error handling, async patterns | Suggestion |
| 6. Architecture | API design, state management | Suggestion |
Load reference files ON-DEMAND when you hit MERN-specific edge cases.
Use the output format below. Offer to fix starting with Critical.
# MERN Code Review
## Project Health
- Build: [Compiles / X errors / Not checked]
- Tests: [X passing / X failing / None found]
- Blockers: [Any deployment blockers from docs]
- Large files: [Files >500 lines]
## Scope
[What was reviewed]
## Summary
- Files reviewed: X
- Issues: X Critical, X Important, X Suggestions
## Critical (Must Fix)
### [C1] Category: Title
**File:** `path:line`
**Why:** [1-2 sentences]
**Fix:** [Code or instruction]
## Important (Should Fix)
### [I1] Category: Title
...
## Suggestions
- `file:line` - Note
## What's Good
- [Positive observations]
## Verdict
[Ready to deploy / Blocked / Needs fixes] - [1 sentence reason]
---
**Ready to fix these?** Starting with Critical issues.
Minimum required checks. Report other issues you find during review.
npm audit$where, $ne, $regex with user input (NoSQL injection/ReDoS)dangerouslySetInnerHTML without DOMPurifyeval() or new Function() with user input.lean() for read-only Mongoose queriesfs.readFileSync in request handlersThese are automatic Critical issues:
eval(), new Function() with user inputdangerouslySetInnerHTML without sanitization$where clause with user inputnpm audit critical vulnerabilities| Scope | Phase 0 | Code Depth | Focus |
|---|---|---|---|
| Single file | Skip | Deep | All checklists on that file |
| Last commit | Quick | Medium | Changed lines + immediate context |
| Feature/PR | Quick | Medium | All changed files |
| Full repo | Full | Broad | Sample key files, architecture |
Load ONLY when you encounter MERN-specific patterns you need to verify:
| When to Load | Reference |
|---|---|
| NoSQL query security question | security.md |
| React hooks/re-render issue | react.md |
| Express middleware question | express.md |
| MongoDB schema/index question | mongodb.md |
| Node.js async/memory issue | nodejs.md |
| API design/auth flow question | fullstack.md |
Do NOT load all references upfront. They're for edge cases, not general review.
Found: EventService.ts - 6,165 lines
→ Critical [C1] Maintainability: God file
→ Recommend split into: EventQueryService, EventBookingService,
EventGuestService, EventInviteService (~500 lines each)
Found: CURRENT_STATUS_AND_BUGS.md contains "DO NOT DEPLOY"
→ Critical [C1] Blocker: Deployment blocked by known issues
→ Fix TypeScript errors in EditEventModal.tsx before proceeding
Found: No Helmet middleware in index.ts
→ Critical [C2] Security: Missing security headers
→ Fix: npm install helmet && app.use(helmet())
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.