From memstack
Systematically reviews code for security, performance, maintainability, error handling, testing, and accessibility issues with severity-ranked findings and specific fixes. Activates on review requests.
npx claudepluginhub cwinvestments/memstack --plugin memstackThis skill uses the workspace's default tool permissions.
*Systematic code review across security, performance, maintainability, error handling, testing, and accessibility β with severity-ranked findings and specific fixes.*
Reviews code for bugs, bad patterns, security issues, performance problems, correctness, and untested code. Reports findings and delegates to fix, test, sentinel, or other skills.
Conducts code reviews assessing quality, best practices, security vulnerabilities, performance, error handling, and test coverage. Outputs categorized issues with recommendations and severity ratings.
Conducts structured code reviews for security vulnerabilities, correctness bugs, performance issues, maintainability, and testing gaps using checklists and scans. Use for reviewing code, auditing, or bug checks.
Share bugs, ideas, or general feedback.
Systematic code review across security, performance, maintainability, error handling, testing, and accessibility β with severity-ranked findings and specific fixes.
When this skill activates, output:
π Code Reviewer β Scanning for issues...
Then execute the protocol below.
| Context | Status |
|---|---|
| User says "review code" or "code review" or "check my code" | ACTIVE |
| User says "audit this" or "review PR" or "review changes" | ACTIVE |
| User asks "what's wrong with this" about code | ACTIVE |
| Reviewing a specific file or set of changes | ACTIVE |
| User is writing code and hasn't asked for review | DORMANT |
| Discussing code architecture at a high level | DORMANT |
| Trap | Reality Check |
|---|---|
| "This looks fine to me" | Check every category systematically. Skimming misses auth gaps and N+1 queries. |
| "Style issues are important" | Linters handle style. Focus on logic, security, and correctness. |
| "I'll flag everything I see" | Noise kills reviews. Only report issues with real impact. Severity matters. |
| "The code works so it's fine" | Working does not mean correct. Race conditions, edge cases, and security holes all "work" until they don't. |
| "I'll suggest a complete rewrite" | Review what's there. Propose targeted fixes, not architectural overhauls. |
| Level | Label | Meaning | Action |
|---|---|---|---|
| π΄ | Critical | Security vulnerability, data loss risk, crash in production | Fix before merge |
| π | High | Bug, incorrect behavior, significant performance issue | Fix this sprint |
| π‘ | Medium | Code smell, minor performance issue, missing edge case | Fix when touching the file |
| π΅ | Low | Style preference, minor improvement, documentation gap | Consider for future |
Scan for security vulnerabilities β this category takes priority.
Authentication gaps:
Search for route handlers and verify each has auth checks:
grep -rn "export async function\|export function" --include="*.ts" app/api/ | head -20
Flag these patterns:
getAuthContext) at the topverifyOrgAccessExposed secrets:
Search for hardcoded credentials:
grep -rn "sk_live\|sk_test\|password\s*=\s*['\"]" --include="*.ts" --include="*.tsx" --include="*.js" --include="*.env" . | grep -v node_modules | grep -v .env.example
Flag these patterns:
.env files committed to gitNEXT_PUBLIC_ prefix on secret values)Injection vulnerabilities:
Search for unsafe input handling:
grep -rn "\.raw(\|\.unsafeRaw\|innerHTML\s*=" --include="*.ts" --include="*.tsx" --include="*.js" . | grep -v node_modules
Flag these patterns:
Identify patterns that degrade under load.
N+1 queries:
# Find loops that might contain database calls
grep -rn "\.forEach\|\.map\|for.*of\|for.*in" --include="*.ts" --include="*.tsx" . | grep -v node_modules | head -20
Flag these patterns:
await inside .map() without Promise.all() (sequential when it could be parallel)await calls that could be Promise.all([...]) (parallelizable)Missing indexes:
WHERE or ORDER BY without indexesFrontend performance:
# Check for large imports that should be tree-shaken
grep -rn "import .* from ['\"]lodash['\"]" --include="*.ts" --include="*.tsx" . | grep -v node_modules
Flag these patterns:
import _ from 'lodash')next build --analyze)React.memo, useMemo, or useCallback on expensive rendersnext/image optimizationData fetching:
Evaluate code clarity and organization.
Dead code:
grep -rn "export " --include="*.ts" --include="*.tsx" . | grep -v node_modules | head -30
Flag these patterns:
Duplicated logic:
Naming clarity:
d, x, t β what are these?)is/has/should prefix (active vs isActive)process(), handle(), doStuff())Type safety:
any type used where a specific type is knownas Type) hiding real type errors@ts-ignore or @ts-expect-error without explanationCheck that errors are caught and handled appropriately.
Uncaught promises:
grep -rn "await " --include="*.ts" --include="*.tsx" . | grep -v "try\|catch\|\.catch" | grep -v node_modules | head -20
Flag these patterns:
await calls without try/catch in route handlers (returns 500 with no context).then() chains without .catch() (unhandled rejection)async but no error boundaryawait, no .catch(), no void)Error quality:
catch (e) { throw e } (adds nothing β let it propagate or add context)catch (e) {} (at minimum, log them)Edge cases:
Assess test coverage for critical paths.
Untested critical paths:
Missing edge cases:
Test quality:
Check that UI code is usable by everyone.
Image and media:
<img> without alt attribute (screen readers announce nothing)alt="" (screen readers read the filename)Keyboard navigation:
<button> (not keyboard accessible)ARIA and semantics:
aria-label on icon-only buttons<nav><label> elementsrole attributes on custom interactive componentsaria-liveColor and contrast:
For each file reviewed, output findings grouped by file:
file: app/api/organizations/[orgId]/route.ts
π΄ Critical: No auth check on DELETE handler
Line 45: export async function DELETE(req) { ... }
Fix: Add getAuthContext + verifyOrgAccess + admin role check
```typescript
const auth = await getAuthContext(req);
if (!auth) return apiError('Authentication required', 401);
const access = await verifyOrgAccess(auth.userId, params.orgId);
if (!access || access.role !== 'owner') return apiError('Access denied', 403);
π High: N+1 query in project listing Line 62: projects.map(async (p) => await getProjectMembers(p.id)) Fix: Batch fetch members for all projects in one query
const membersByProject = await db.members.findByProjectIds(
projects.map(p => p.id)
);
π‘ Medium: Generic error message Line 78: catch (e) { return apiError('Something went wrong', 500); } Fix: Log the error with context, return safe message
catch (error) {
console.error('DELETE /organizations failed:', { orgId: params.orgId, error });
return apiError('Failed to delete organization', 500);
}
π΅ Low: Missing return type on handler Line 45: export async function DELETE(req) Fix: Add explicit return type
export async function DELETE(req: NextRequest): Promise<NextResponse>
### Step 8: Summary Report
After reviewing all files, output a summary:
π Code Review β Complete
Files reviewed: [count] Issues found: [total]
By severity: π΄ Critical: [count] β fix before merge π High: [count] β fix this sprint π‘ Medium: [count] β fix when touching the file π΅ Low: [count] β consider for future
By category: Security: [count] issues Performance: [count] issues Maintainability: [count] issues Error handling: [count] issues Testing: [count] issues Accessibility: [count] issues
Top 3 priorities:
Estimated fix effort: Critical + High: ~[X] hours All issues: ~[X] hours
## Level History
- **Lv.1** β Base: Six-category systematic review (security, performance, maintainability, error handling, testing, accessibility), severity-ranked findings, per-file reports with specific code fixes, summary with prioritized action items. (Origin: MemStack Pro v3.2, Mar 2026)