Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From primeline-skills
Use when reviewing pull requests, reviewing your own code before committing, or when asked to review code changes. Provides structured analysis with severity categorization, security focus, and optional worktree isolation for safe PR review.
npx claudepluginhub primeline-ai/primeline-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/primeline-skills:code-reviewThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Structured code review that catches what matters. Not style nitpicks - real bugs, security holes, and logic errors.
Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.
Share bugs, ideas, or general feedback.
Structured code review that catches what matters. Not style nitpicks - real bugs, security holes, and logic errors.
Announce: "Using code-review to analyze these changes."
Before committing your own code, check these 3 things:
If all 3 pass, your code is ready for a proper review.
Before reading a single line of code:
# For PRs:
gh pr view <number> --json title,body,files
gh pr diff <number>
For reviewing other people's PRs, use a git worktree for isolation:
# Create isolated workspace
git worktree add .worktrees/pr-<number> -b review/pr-<number>
cd .worktrees/pr-<number>
# Check out the PR
gh pr checkout <number>
Why isolation? The PR may contain untrusted code. Never run code from a PR you haven't reviewed. A worktree keeps your working directory clean.
Read the diff file by file. For each file, check:
Correctness:
Security:
Quality:
Every finding gets a severity:
| Severity | Meaning | Action |
|---|---|---|
| Critical | Security vulnerability, data loss, crash in production | Must fix before merge |
| High | Bug, race condition, significant logic error | Should fix before merge |
| Medium | Code quality, missing edge case, maintainability | Should address, not blocking |
| Low | Style, naming suggestion, minor improvement | Optional |
Each finding needs:
src/auth.ts:45)Structure your review:
## Review: [PR Title or Change Description]
### Summary
[1-2 sentences: what this change does and overall assessment]
### Critical / High
[List issues that must or should be fixed]
- `file:line` - [Issue]. [Why it matters]. Fix: [suggestion].
### Medium
[Issues worth addressing]
- `file:line` - [Issue]. Fix: [suggestion].
### Low
[Optional improvements]
- `file:line` - [Suggestion].
### Positive Notes
[What's done well - this matters for morale and learning]
### Verdict
[Approve / Request Changes / Comment]
# Return to main workspace
cd ../..
git worktree remove .worktrees/pr-<number>
git branch -D review/pr-<number>
Large PRs (500+ lines) benefit from delegation:
## 1. TASK
Review the diff of PR #[NUMBER] for bugs, security issues, and code quality.
## 2. EXPECTED OUTCOME
Categorized findings (Critical/High/Medium/Low) with file:line references and suggested fixes.
## 3. REQUIRED TOOLS
Read, Grep, Glob, Bash (gh pr view, gh pr diff only)
## 4. MUST DO
- Read every changed file
- Check for security vulnerabilities (OWASP top 10)
- Check for logic errors and unhandled edge cases
- Categorize findings by severity
- Include specific file:line references
## 5. MUST NOT DO
- Don't run any code from the PR
- Don't modify any files
- Don't approve or merge the PR
- Don't report style-only issues as High/Critical
## 6. CONTEXT
PR: [URL or number]
Description: [What the PR does]
Key files: [Most important files to focus on]
Agent: general-purpose | Model: Sonnet | Effort: High (12 turns)
These are the highest-value things to check. A review that catches one of these pays for itself:
| Area | What to Check |
|---|---|
| Auth bypass | New endpoints without auth middleware? Role checks missing? |
| Injection | User input reaching SQL, shell commands, or HTML without sanitization? |
| Secrets | API keys, tokens, passwords in code or config committed to repo? |
| SSRF | User-controlled URLs being fetched server-side? |
| Path traversal | User input in file paths without validation? |
| Mass assignment | User input spread into database objects without whitelisting fields? |
| Pattern | Problem | Fix |
|---|---|---|
| "LGTM" with no comments | Rubber-stamp review, catches nothing | Spend at least 5 minutes per 100 lines |
| Style-only feedback | Misses real bugs while bikeshedding | Check security and correctness first, style last |
| "This could be better" | Vague, not actionable | Specific: what, where, why, how to fix |
| Reviewing 2000 lines at once | Attention drops after ~400 lines | Request smaller PRs or review in chunks |
| Skipping test files | Tests might assert wrong behavior | Review tests - they're the spec |
If you have the Starter System installed:
/remember to log review patterns specific to your codebase/handoff to pass review context across sessionsWhen Kairn is configured, code review gains:
Without Kairn: review quality depends on the reviewer's memory. Still structured, still valuable, just not adaptive.