Skill

code-review

Review code changes for security, performance, and correctness. Trigger with a PR URL or diff, "review this before I merge", "is this code safe?", or when checking a change for N+1 queries, injection risks, missing edge cases, or error handling gaps.

Install

npx claudepluginhub foundationforge/cowork-plugins --plugin engineering

Tool Access

This skill uses the workspace's default tool permissions.

Preview

> If you see unfamiliar placeholders or need to check which tools are connected, see [CONNECTORS.md](../../CONNECTORS.md).

SKILL.md

Similar Skills

executing-plans

Executes pre-written implementation plans: critically reviews, follows bite-sized steps exactly, runs verifications, tracks progress with checkpoints, uses git worktrees, stops on blockers.

superpowers

152.2k

brainstorming

7 files

Guides idea refinement into designs: explores context, asks questions one-by-one, proposes approaches, presents sections for approval, writes/review specs before coding.

superpowers

152.2k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

152.2k

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitApr 12, 2026

Actions

View Source View Plugin View on GitHub View README

/code-review

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Review code changes with a structured lens on security, performance, correctness, and maintainability.

Usage

/code-review <PR URL or file path>

Review the provided code changes: @$1

If no specific file or URL is provided, ask what to review.

How It Works

┌─────────────────────────────────────────────────────────────────┐
│                      CODE REVIEW                                   │
├─────────────────────────────────────────────────────────────────┤
│  STANDALONE (always works)                                       │
│  ✓ Paste a diff, PR URL, or point to files                      │
│  ✓ Security audit (OWASP top 10, injection, auth)               │
│  ✓ Performance review (N+1, memory leaks, complexity)           │
│  ✓ Correctness (edge cases, error handling, race conditions)    │
│  ✓ Style (naming, structure, readability)                        │
│  ✓ Actionable suggestions with code examples                    │
├─────────────────────────────────────────────────────────────────┤
│  SUPERCHARGED (when you connect your tools)                      │
│  + Source control: Pull PR diff automatically                    │
│  + Project tracker: Link findings to tickets                     │
│  + Knowledge base: Check against team coding standards           │
└─────────────────────────────────────────────────────────────────┘

Review Dimensions

Security

SQL injection, XSS, CSRF
Authentication and authorization flaws
Secrets or credentials in code
Insecure deserialization
Path traversal
SSRF

Performance

N+1 queries
Unnecessary memory allocations
Algorithmic complexity (O(n²) in hot paths)
Missing database indexes
Unbounded queries or loops
Resource leaks

Correctness

Edge cases (empty input, null, overflow)
Race conditions and concurrency issues
Error handling and propagation
Off-by-one errors
Type safety

Maintainability

Naming clarity
Single responsibility
Duplication
Test coverage
Documentation for non-obvious logic

Output

## Code Review: [PR title or file]

### Summary
[1-2 sentence overview of the changes and overall quality]

### Critical Issues
| # | File | Line | Issue | Severity |
|---|------|------|-------|----------|
| 1 | [file] | [line] | [description] | 🔴 Critical |

### Suggestions
| # | File | Line | Suggestion | Category |
|---|------|------|------------|----------|
| 1 | [file] | [line] | [description] | Performance |

### What Looks Good
- [Positive observations]

### Verdict
[Approve / Request Changes / Needs Discussion]

If Connectors Available

If ~~source control is connected:

Pull the PR diff automatically from the URL
Check CI status and test results

If ~~project tracker is connected:

Link findings to related tickets
Verify the PR addresses the stated requirements

If ~~knowledge base is connected:

Check changes against team coding standards and style guides

Tips

Provide context — "This is a hot path" or "This handles PII" helps me focus.
Specify concerns — "Focus on security" narrows the review.
Include tests — I'll check test coverage and quality too.

Visual Output

After completing the review, offer to generate a visual HTML diff page:

"Want a visual version of this review? Run /visual-explainer:diff-review for an interactive HTML page with side-by-side diffs, risk highlights, and a change breakdown you can share."

Trigger automatically when the review covers 5+ files or the user says "share", "report", or "visual".