Analyze code for quality, patterns, security vulnerabilities, performance issues, and adherence to best practices.
/plugin marketplace add marcel-Ngan/ai-dev-team/plugin install marcel-ngan-ai-dev-team@marcel-Ngan/ai-dev-teamThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Analyze code for quality, patterns, security vulnerabilities, performance issues, and adherence to best practices.
| Dimension | Focus | Tools/Techniques |
|---|---|---|
| Readability | Naming, structure, comments | Manual review |
| Maintainability | Modularity, coupling, cohesion | Complexity metrics |
| Reliability | Error handling, edge cases | Static analysis |
| Security | Vulnerabilities, data handling | Security scanning |
| Performance | Efficiency, resource usage | Profiling |
| Testability | Coverage, test quality | Coverage analysis |
## Code Review: {{prNumber}}
**Reviewer:** {{agent}}
**Author:** {{author}}
**Files Changed:** {{fileCount}}
**Lines:** +{{additions}} / -{{deletions}}
### Checklist
#### Functionality
- [ ] Code does what the story requires
- [ ] Edge cases handled
- [ ] Error scenarios covered
- [ ] No unintended side effects
#### Code Quality
- [ ] Follows project coding standards
- [ ] Meaningful variable/function names
- [ ] No code duplication (DRY)
- [ ] Functions are focused (single responsibility)
- [ ] Appropriate abstraction level
#### Security
- [ ] No hardcoded secrets
- [ ] Input validation present
- [ ] No SQL injection vulnerabilities
- [ ] No XSS vulnerabilities
- [ ] Proper authentication/authorization checks
#### Performance
- [ ] No obvious performance issues
- [ ] Database queries optimized
- [ ] No unnecessary loops/iterations
- [ ] Appropriate caching where needed
#### Testing
- [ ] Unit tests added/updated
- [ ] Tests cover happy path
- [ ] Tests cover error scenarios
- [ ] Test names are descriptive
#### Documentation
- [ ] Complex logic has comments
- [ ] Public APIs documented
- [ ] README updated if needed
### Review Summary
**Overall:** ✅ Approved | 🔄 Changes Requested | ❌ Request Changes
**Strengths:**
- {{strength1}}
- {{strength2}}
**Issues Found:**
#### Critical (Must Fix) 🔴
{{#each critical}}
- **{{file}}:{{line}}** - {{issue}}
{{codeSnippet}}
**Suggestion:** {{suggestion}}
{{/each}}
#### Important (Should Fix) 🟠
{{#each important}}
- **{{file}}:{{line}}** - {{issue}}
{{/each}}
#### Minor (Nice to Have) 🟡
{{#each minor}}
- **{{file}}:{{line}}** - {{suggestion}}
{{/each}}
#### Questions ❓
{{#each questions}}
- **{{file}}:{{line}}** - {{question}}
{{/each}}
| Category | Risk Level | Examples |
|---|---|---|
| Injection | Critical | SQL, Command, LDAP injection |
| Authentication | Critical | Weak passwords, session issues |
| Data Exposure | High | Unencrypted data, logging PII |
| Access Control | High | Missing authorization checks |
| Misconfiguration | Medium | Debug enabled, default creds |
| Dependencies | Variable | Known CVEs in packages |
## Security Analysis: {{component}}
**Analyst:** {{agent}}
**Date:** {{date}}
**Scope:** {{scope}}
### Findings
| ID | Severity | Category | Location | Description |
|----|----------|----------|----------|-------------|
| SEC-001 | Critical/High/Medium/Low | {{category}} | {{file}}:{{line}} | {{description}} |
### Detailed Findings
#### SEC-001: {{title}}
**Severity:** {{severity}}
**Category:** {{category}}
**Location:** `{{file}}:{{line}}`
**Description:**
{{description}}
**Vulnerable Code:**
```{{language}}
{{codeSnippet}}
Risk: {{riskExplanation}}
Remediation:
{{fixedCode}}
References:
### Common Security Patterns
```markdown
### Security Anti-Patterns to Check
#### Input Handling
- [ ] User input directly in SQL queries
- [ ] User input in system commands
- [ ] User input reflected in HTML without encoding
- [ ] User input in file paths
#### Authentication/Authorization
- [ ] Missing authentication on sensitive endpoints
- [ ] Hardcoded credentials
- [ ] Weak password requirements
- [ ] Missing rate limiting on auth endpoints
#### Data Protection
- [ ] Sensitive data in logs
- [ ] Secrets in code/config
- [ ] PII transmitted unencrypted
- [ ] Missing data validation
## Performance Analysis: {{component}}
**Analyst:** {{agent}}
**Date:** {{date}}
### Identified Issues
| Issue | Impact | Location | Recommendation |
|-------|--------|----------|----------------|
| {{issue}} | High/Med/Low | {{location}} | {{recommendation}} |
### Detailed Analysis
#### Issue: {{issueName}}
**Location:** `{{file}}:{{line}}`
**Impact:** {{impact}}
**Current Code:**
```{{language}}
{{currentCode}}
Problem: {{problemExplanation}}
Suggested Optimization:
{{optimizedCode}}
Expected Improvement: {{expectedImprovement}}
### Common Performance Issues
| Pattern | Problem | Solution |
|---------|---------|----------|
| N+1 Queries | Multiple DB calls in loop | Batch queries, joins |
| Unbounded Lists | Loading all records | Pagination |
| Missing Indexes | Slow queries | Add appropriate indexes |
| String Concatenation | Memory churn in loops | StringBuilder/join |
| Synchronous I/O | Blocking operations | Async/await |
| Missing Caching | Repeated expensive ops | Cache results |
---
## Complexity Analysis
### Complexity Metrics
```markdown
## Complexity Analysis: {{component}}
### Metrics Summary
| Metric | Value | Threshold | Status |
|--------|-------|-----------|--------|
| Cyclomatic Complexity | {{cc}} | <10 | {{status}} |
| Lines of Code | {{loc}} | <200 | {{status}} |
| Nesting Depth | {{depth}} | <4 | {{status}} |
| Parameters | {{params}} | <5 | {{status}} |
| Dependencies | {{deps}} | <10 | {{status}} |
### High Complexity Functions
| Function | CC | LOC | Recommendation |
|----------|----|----|----------------|
| {{function}} | {{cc}} | {{loc}} | {{recommendation}} |
### Refactoring Opportunities
#### {{functionName}}
**Current Complexity:** CC={{cc}}
**Target Complexity:** CC<10
**Suggested Refactoring:**
{{refactoringApproach}}
**Estimated Effort:** {{effort}}
## Technical Debt Assessment: {{area}}
**Analyst:** {{agent}}
**Date:** {{date}}
### Debt Inventory
| ID | Type | Location | Description | Effort | Priority |
|----|------|----------|-------------|--------|----------|
| TD-001 | {{type}} | {{location}} | {{description}} | {{effort}} | {{priority}} |
### Debt Types
- **Code Debt:** Poorly written code needing refactor
- **Design Debt:** Architectural shortcuts
- **Test Debt:** Missing/inadequate tests
- **Doc Debt:** Missing documentation
- **Dependency Debt:** Outdated dependencies
### Impact Assessment
| Debt Item | Maintenance Cost | Risk | Business Impact |
|-----------|------------------|------|-----------------|
| {{item}} | High/Med/Low | High/Med/Low | {{impact}} |
### Remediation Plan
| Priority | Items | Effort | Timeline |
|----------|-------|--------|----------|
| Critical | {{items}} | {{effort}} | ASAP |
| High | {{items}} | {{effort}} | Next sprint |
| Medium | {{items}} | {{effort}} | Next quarter |
| Low | {{items}} | {{effort}} | As capacity |
## Test Coverage Analysis: {{component}}
### Coverage Summary
| Metric | Value | Target | Status |
|--------|-------|--------|--------|
| Line Coverage | {{linePct}}% | 80% | {{status}} |
| Branch Coverage | {{branchPct}}% | 70% | {{status}} |
| Function Coverage | {{funcPct}}% | 90% | {{status}} |
### Uncovered Areas
| File | Uncovered Lines | Priority | Notes |
|------|-----------------|----------|-------|
| {{file}} | {{lines}} | High/Med/Low | {{notes}} |
### Test Quality Assessment
- [ ] Tests are deterministic (no flaky tests)
- [ ] Tests are independent
- [ ] Tests cover edge cases
- [ ] Tests have meaningful assertions
- [ ] Tests are maintainable
### Recommendations
{{#each recommendations}}
- {{recommendation}}
{{/each}}
| Agent | Code Analysis Use |
|---|---|
| Senior Developer | Primary - code reviews, refactoring decisions |
| Junior Developer | Learning from review feedback |
| QA Engineer | Test coverage, quality assessment |
| Software Architect | Technical debt, complexity analysis |
| DevOps Engineer | Performance, security scanning |
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.