Load PROACTIVELY when task involves reviewing code, auditing quality, or validating implementations. Use when user says "review this code", "check this PR", "audit the codebase", or "score this implementation". Covers the 10-dimension weighted scoring rubric (correctness, security, performance, architecture, testing, error handling, type safety, maintainability, accessibility, documentation), automated pattern detection for anti-patterns, and structured review output with actionable findings.
Performs comprehensive code reviews using a 10-dimension scoring rubric covering security, performance, and quality.
/plugin marketplace add mgd34msu/goodvibes-plugin/plugin install goodvibes@goodvibes-marketThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/review-patterns.mdscripts/validate-code-review.shscripts/
validate-code-review.sh
references/
review-patterns.md
This skill teaches you how to perform thorough, enterprise-grade code reviews using GoodVibes precision tools. A systematic code review catches issues early, ensures consistency, validates security and performance, and maintains high quality standards across the codebase.
Load this skill when:
Trigger phrases: "review this code", "check the PR", "quality audit", "security review", "performance review", "validate implementation".
Before reviewing, understand what changed, why, and the scope of impact.
Use discover to map all changed files and identify the type of change.
discover:
queries:
- id: changed_files
type: glob
patterns: ["src/**/*"] # List changed files for review
- id: new_files
type: glob
patterns: ["**/*"]
- id: test_files
type: glob
patterns: ["**/*.test.ts", "**/*.test.tsx", "**/*.spec.ts", "**/*.spec.tsx"]
verbosity: files_only
Extract from git:
precision_exec:
commands:
- cmd: "git diff --name-only HEAD~1..HEAD"
verbosity: minimal
What this reveals:
Use precision_read to examine the actual changes.
precision_read:
files:
- path: "src/api/user-routes.ts" # Example changed file
extract: content
- path: "src/components/UserProfile.tsx"
extract: content
output:
max_per_item: 200
verbosity: standard
Get diff context:
precision_exec:
commands:
- cmd: "git diff HEAD~1..HEAD -- src/api/user-routes.ts"
verbosity: standard
Use discover to find imports, exports, and usage of changed symbols.
discover:
queries:
- id: function_exports
type: grep
pattern: "export (function|const|class) (createUser|updateUser|deleteUser)"
glob: "**/*.{ts,tsx,js,jsx}"
- id: usage_sites
type: grep
pattern: "(createUser|updateUser|deleteUser)\\("
glob: "**/*.{ts,tsx,js,jsx}"
- id: related_tests
type: grep
pattern: "(createUser|updateUser|deleteUser)"
glob: "**/*.test.{ts,tsx}"
verbosity: locations
What this reveals:
Security issues are critical and must be caught in review.
Use discover to find security anti-patterns.
discover:
queries:
# SQL Injection
- id: sql_injection
type: grep
pattern: '(query|execute|sql).*[`$].*\$\{'
glob: "**/*.{ts,tsx,js,jsx}"
# XSS vulnerabilities
- id: dangerous_html
type: grep
pattern: "(dangerouslySetInnerHTML|innerHTML|outerHTML)"
glob: "**/*.{ts,tsx,jsx}"
# Hardcoded secrets
- id: hardcoded_secrets
type: grep
pattern: '(password|secret|api[_-]?key|token)\s*=\s*["''][^"'']+["'']'
glob: "**/*.{ts,tsx,js,jsx,json}"
# Missing authentication
- id: unauthed_routes
type: grep
pattern: "export (async )?function (GET|POST|PUT|DELETE|PATCH)"
glob: "src/app/api/**/*.ts"
verbosity: locations
Critical patterns to check:
| Pattern | Severity | Why It Matters |
|---|---|---|
| SQL injection | Critical | Allows attackers to read/modify database |
| XSS vulnerabilities | Critical | Allows script injection, session hijacking |
| Hardcoded secrets | Critical | Exposes credentials in source code |
| Missing auth checks | Critical | Exposes protected resources |
| Unsafe deserialization | Critical | Remote code execution |
| CORS misconfiguration | Major | Allows unauthorized origins |
| Weak password rules | Major | Account compromise |
| Missing input validation | Major | Data corruption, injection |
All external input must be validated.
discover:
queries:
# Check for validation schemas
- id: zod_schemas
type: grep
pattern: "z\\.(object|string|number|array|enum)"
glob: "**/*.{ts,tsx}"
# Check for direct request.json() without validation
- id: unvalidated_input
type: grep
pattern: "(await request\\.json\\(\\)|req\\.body)(?!.*safeParse)"
glob: "src/app/api/**/*.ts"
# Check for SQL parameterization
- id: parameterized_queries
type: grep
pattern: "(db\\.(query|execute)|prisma\\.|sql`)"
glob: "**/*.{ts,js}"
verbosity: locations
Best practices to validate:
Verify that protected resources require authentication.
discover:
queries:
# Find auth middleware usage
- id: auth_middleware
type: grep
pattern: "(getServerSession|auth\\(\\)|requireAuth|withAuth)"
glob: "src/app/api/**/*.ts"
# Find resource ownership checks
- id: ownership_checks
type: grep
pattern: "(userId|authorId|ownerId)\s*===\s*(session|user|currentUser)"
glob: "**/*.{ts,tsx}"
# Find RBAC checks
- id: rbac_checks
type: grep
pattern: "(role|permission|can)\s*===\s*"
glob: "**/*.{ts,tsx}"
verbosity: locations
Critical checks:
Performance issues cause poor UX and cost scalability.
N+1 queries are the #1 database performance killer.
discover:
queries:
# Find loops with database calls
- id: n_plus_one
type: grep
pattern: "(for|forEach|map).*await.*(prisma|db|query|find)"
glob: "**/*.{ts,tsx,js,jsx}"
# Find Prisma include usage
- id: prisma_includes
type: grep
pattern: "(findMany|findUnique|findFirst).*include:"
glob: "**/*.{ts,js}"
verbosity: locations
How to fix:
include to eager load related records (Prisma)SELECT IN for batch loadingReact re-render issues harm frontend performance.
discover:
queries:
# Find inline object/array creation in JSX
- id: inline_objects
type: grep
pattern: "(onClick|onChange|style)=\\{\\{|=\\{\\["
glob: "**/*.{tsx,jsx}"
# Find missing useMemo/useCallback
- id: missing_memoization
type: grep
pattern: "(map|filter|reduce)\\("
glob: "**/*.{tsx,jsx}"
# Find useEffect without dependencies
- id: missing_deps
type: grep
pattern: "useEffect\\([^)]+\\)\\s*$"
glob: "**/*.{tsx,jsx}"
verbosity: locations
Common issues:
| Anti-pattern | Fix |
|---|---|
| Inline object in props | Extract to constant or useMemo |
| Inline function in props | Wrap in useCallback |
| Large list without key | Add stable key prop |
| useEffect missing deps | Add all used variables to deps array |
| Context re-renders everything | Split context or use state managers |
Missing indexes cause slow queries.
precision_read:
files:
- path: "prisma/schema.prisma"
extract: content
output:
max_per_item: 500
verbosity: standard
Validate indexes exist for:
Code quality affects maintainability and reliability.
TypeScript should catch errors at compile time, not runtime.
discover:
queries:
# Find any types
- id: any_usage
type: grep
pattern: ":\s*any(\\s|;|,|\\))"
glob: "**/*.{ts,tsx}"
# Find type assertions (as)
- id: type_assertions
type: grep
pattern: "as (unknown|any|string|number)"
glob: "**/*.{ts,tsx}"
# Find non-null assertions (!)
- id: non_null_assertions
type: grep
pattern: "![.;,)\\]]"
glob: "**/*.{ts,tsx}"
# Find unsafe member access
- id: unsafe_access
type: grep
pattern: "\\?\\."
glob: "**/*.{ts,tsx}"
verbosity: locations
Type safety issues:
| Issue | Severity | Fix |
|---|---|---|
any type usage | Major | Use proper types or unknown |
as any assertions | Major | Fix the underlying type issue |
! non-null assertion | Minor | Add null checks |
| Missing return types | Minor | Explicitly type function returns |
| Implicit any params | Major | Add parameter types |
All async operations and API calls must handle errors.
discover:
queries:
# Find floating promises
- id: floating_promises
type: grep
pattern: "^\\s+[a-z][a-zA-Z]*\\(.*\\);$"
glob: "**/*.{ts,tsx,js,jsx}"
# Find empty catch blocks
- id: empty_catch
type: grep
pattern: "catch.*\\{\\s*\\}"
glob: "**/*.{ts,tsx,js,jsx}"
# Find console.error (should use logger)
- id: console_error
type: grep
pattern: "console\\.(error|warn|log)"
glob: "**/*.{ts,tsx,js,jsx}"
verbosity: locations
Error handling checklist:
.catch() or try/catchLarge files and high complexity make code hard to maintain.
precision_exec:
commands:
- cmd: "find src -not -path '*/node_modules/*' -not -path '*/dist/*' -name '*.ts' -o -name '*.tsx' -print0 | xargs -0 wc -l | sort -rn | head -20"
verbosity: standard
Code organization rules:
Tests validate correctness and prevent regressions.
Every changed file should have tests.
discover:
queries:
# Find test files
- id: test_files
type: glob
patterns: ["**/*.test.{ts,tsx}", "**/*.spec.{ts,tsx}"]
# Find files without tests
- id: source_files
type: glob
patterns: ["src/**/*.{ts,tsx}"]
# Check test imports
- id: test_imports
type: grep
pattern: "from ['\"].*/(api|lib|components)/"
glob: "**/*.test.{ts,tsx}"
verbosity: files_only
Compare source files to test files:
// Pseudo-logic (implement with precision tools)
const sourceFiles = results.source_files.files;
const testFiles = results.test_files.files;
const missingTests = sourceFiles.filter(f => !testFiles.some(t => t.includes(f.replace('.ts', ''))));
Tests should test behavior, not implementation.
discover:
queries:
# Find skipped tests
- id: skipped_tests
type: grep
pattern: "(it\\.skip|test\\.skip|describe\\.skip)"
glob: "**/*.test.{ts,tsx}"
# Find focused tests (.only)
- id: focused_tests
type: grep
pattern: "(it\\.only|test\\.only|describe\\.only)"
glob: "**/*.test.{ts,tsx}"
# Find expect assertions
- id: assertions
type: grep
pattern: "expect\\("
glob: "**/*.test.{ts,tsx}"
# Find mock usage
- id: mocks
type: grep
pattern: "(vi\\.mock|jest\\.mock|vi\\.fn)"
glob: "**/*.test.{ts,tsx}"
verbosity: locations
Test quality checklist:
.skip or .only (should be removed before merge)Architecture violations create technical debt.
Dependencies should flow from outer layers to inner layers.
discover:
queries:
# Find domain imports in UI
- id: ui_imports_domain
type: grep
pattern: "from ['\"].*/(domain|core|lib)/"
glob: "src/components/**/*.{ts,tsx}"
# Find UI imports in domain
- id: domain_imports_ui
type: grep
pattern: "from ['\"].*/(components|pages|app)/"
glob: "src/domain/**/*.{ts,tsx}"
# Find circular dependencies
- id: imports
type: grep
pattern: "^import.*from"
glob: "src/**/*.{ts,tsx}"
verbosity: locations
Dependency rules:
discover:
queries:
# Database access in components
- id: db_in_components
type: grep
pattern: "(prisma|db\\.(query|execute))"
glob: "src/components/**/*.{ts,tsx}"
# Business logic in API routes
- id: logic_in_routes
type: grep
pattern: "export (async )?function (GET|POST)"
glob: "src/app/api/**/*.ts"
verbosity: files_only
Read the route handlers to check:
Accessibility ensures your app is usable by everyone.
Use proper HTML elements for accessibility.
discover:
queries:
# Find div buttons (should be <button>)
- id: div_buttons
type: grep
pattern: "<div.*(onClick|onKeyDown)"
glob: "**/*.{tsx,jsx}"
# Find missing alt text
- id: missing_alt
type: grep
pattern: "<img(?![^>]*alt=)"
glob: "**/*.{tsx,jsx}"
# Find missing labels
- id: missing_labels
type: grep
pattern: "<input(?![^>]*aria-label)(?![^>]*id=)"
glob: "**/*.{tsx,jsx}"
# Find missing ARIA roles
- id: missing_roles
type: grep
pattern: "<(nav|header|footer|main)(?![^>]*role=)"
glob: "**/*.{tsx,jsx}"
verbosity: locations
Accessibility checklist:
<button>, not <div onClick>alt textaria-labeloutline: none without replacement)discover:
queries:
# Find custom components
- id: custom_components
type: grep
pattern: "(Accordion|Dialog|Dropdown|Tabs|Tooltip)"
glob: "src/components/**/*.{tsx,jsx}"
verbosity: files_only
Read components to validate:
Use the review-scoring skill to provide structured feedback.
See plugins/goodvibes/skills/protocol/review-scoring/SKILL.md for the full rubric.
The 10 Dimensions (weighted):
anyScore each dimension 1-10:
Overall score = weighted average
Pass/fail thresholds:
Run automated checks to catch issues.
precision_exec:
commands:
# Type check
- cmd: "npm run typecheck"
# Lint
- cmd: "npm run lint"
# Tests
- cmd: "npm run test"
# Security audit
- cmd: "npm audit --audit-level=moderate"
verbosity: standard
All checks must pass before approval.
Structured feedback is actionable and specific.
Review output format:
## Review Summary
**Overall Score**: 8.2/10
**Verdict**: APPROVE with suggestions
**What changed**: Added user profile API with authentication
**Files reviewed**: 8 files (5 source, 3 test)
## Dimension Scores
1. Correctness: 9/10
2. Type Safety: 7/10
3. Security: 9/10
4. Performance: 8/10
5. Error Handling: 7/10
6. Testing: 8/10
7. Code Quality: 9/10
8. Architecture: 8/10
9. Accessibility: 8/10
10. Documentation: 7/10
## Issues Found
### Major (should fix)
- **FILE:LINE** - Type safety: Function `updateProfile` has implicit `any` return type
- Fix: Add explicit return type `Promise<User>`
- Impact: TypeScript can't catch type errors in callers
### Minor (nice to fix)
- **src/api/profile.ts:42** - Error handling: Empty catch block swallows errors
- Fix: Log error with context before re-throwing
- Impact: Makes debugging harder
## What Was Done Well
- Excellent input validation with Zod schemas
- Comprehensive test coverage (95%)
- Proper authentication checks on all routes
- Clean separation of concerns (route -> service -> repository)
Feedback guidelines:
See references/review-patterns.md for detailed anti-patterns organized by category.
Quick reference:
any types, type assertionsexpect(result).toBeTruthy().skip or .only left inRun multiple grep/glob queries in parallel to find patterns.
Example: Find security issues
discover:
queries:
- id: sql_injection
type: grep
pattern: 'query.*\$\{'
- id: hardcoded_secrets
type: grep
pattern: 'api[_-]?key\s*=\s*["''][^"'']+'
- id: xss
type: grep
pattern: 'dangerouslySetInnerHTML'
verbosity: locations
Search with context, multiline support, and token limits.
Example: Find error handling
precision_grep:
queries:
- id: catch_blocks
pattern: "try\\s*\\{[\\s\\S]*?\\}\\s*catch"
output:
format: context
context_after: 3
context_before: 1
verbosity: standard
Run validation commands.
precision_exec:
commands:
- cmd: "npm run typecheck"
- cmd: "npm run lint"
- cmd: "npm test -- --coverage"
verbosity: standard
Use scripts/validate-code-review.sh to validate review completeness.
./scripts/validate-code-review.sh /path/to/review-output.md
The script checks:
Before reviewing:
git diff or GitHub PR)During review:
any, assertions, return typesAfter review:
Critical (must fix before merge):
Major (should fix before merge):
any usage, missing types)Minor (nice to fix, or address in follow-up):
Score inflation:
Vague feedback:
Promise<User> to function getUser"Ignoring positives:
Inconsistent severity:
Review multiple PRs or files in parallel.
discover:
queries:
- id: all_changes
type: grep
pattern: ".*"
path: "src/"
verbosity: files_only
Then read files in batch:
precision_read:
files:
- path: "src/changed-file-1.ts"
- path: "src/changed-file-2.ts"
extract: content
output:
max_per_item: 100
verbosity: standard
Use precision_grep with context to understand surrounding code.
precision_grep:
queries:
- id: auth_checks
pattern: "getServerSession|auth\\(\\)"
output:
format: context
context_before: 5
context_after: 10
verbosity: standard
Focus on changed lines only.
precision_exec:
commands:
- cmd: "git diff HEAD~1..HEAD --unified=5"
verbosity: standard
Parse the diff and review only changed sections.
Create a batch of security/performance checks.
discover:
queries:
# Security
- { id: sql_injection, type: grep, pattern: 'query.*\$\{' }
- { id: xss, type: grep, pattern: 'dangerouslySetInnerHTML' }
- { id: secrets, type: grep, pattern: 'password\s*=\s*["''][^"'']+' }
# Performance
- { id: n_plus_one, type: grep, pattern: 'for.*await.*prisma' }
- { id: inline_objects, type: grep, pattern: 'onClick=\{\{', glob: '**/*.tsx' }
# Quality
- { id: any_usage, type: grep, pattern: ':\s*any', glob: '**/*.ts' }
- { id: empty_catch, type: grep, pattern: 'catch.*\{\s*\}' }
verbosity: locations
Aggregate results and score based on findings.
references/review-patterns.md - Common anti-patterns by categoryscripts/validate-code-review.sh - Automated review validationplugins/goodvibes/skills/protocol/review-scoring/SKILL.md - Scoring rubric detailsActivates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.