ComputerConnection/skills/review
skills/review/SKILL.md
--- name: review description: Thorough code review workflow. Use when reviewing PRs, auditing code quality, or doing self-review before submitting. Catches bugs, security issues, and design problems. context: fork agent: Explore allowed-tools: Read, Grep, Glob, Bash(git diff *), Bash(git log *), Bash(git show *), Bash(wc *), Bash(gh pr *), Bash(gh api *) argument-hint: [pr-number|branch|file-path] [--focus=security|performance|logic|style|all] --- ## Code Review: $ARGUMENTS Systematic review t
tools
Updated Apr 22, 2026
$ install --global
skillsauthnpx skillsauth add ComputerConnection/zach-pack skills/reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 23, 2026, 8:59 PM316.8s1 file scanned
SKILL.md
- name:
- review
- description:
- Thorough code review workflow. Use when reviewing PRs, auditing code quality, or doing self-review before submitting. Catches bugs, security issues, and design problems.
- context:
- fork
- agent:
- Explore
- allowed-tools:
- Read, Grep, Glob, Bash(git diff *), Bash(git log *), Bash(git show *), Bash(wc *), Bash(gh pr *), Bash(gh api *)
- argument-hint:
- [pr-number|branch|file-path] [--focus=security|performance|logic|style|all]
Code Review: $ARGUMENTS
Systematic review to catch what humans miss.
Philosophy
- Understand first, critique second - Read to understand, not to find fault
- Intent matters - What is this code trying to do?
- Bugs > style - Catch the bugs before nitpicking formatting
- Be constructive - Every criticism comes with a suggestion
- Context is king - A "bad" pattern might be the right choice here
Phase 1: Context Gathering
What Am I Reviewing?
# If PR number
gh pr view [number] --comments
gh pr diff [number]
# If branch
git log main..[branch] --oneline
git diff main...[branch]
# If file
git log -10 --follow [file]
git diff HEAD~5 [file]
Review Metadata
┌─────────────────────────────────────────────────────────────┐
│ REVIEW: [Description] │
├─────────────────────────────────────────────────────────────┤
│ Author: [who] │
│ Size: [lines added/removed] │
│ Files: [count] │
│ Type: [feature|bugfix|refactor|docs|test] │
├─────────────────────────────────────────────────────────────┤
│ Related: │
│ • Issue: [link] │
│ • Previous PRs: [links] │
│ • Docs: [links] │
└─────────────────────────────────────────────────────────────┘
Understand the Goal
- What problem does this solve?
- What was the previous behavior?
- What should the new behavior be?
- How should I test this mentally?
Phase 2: First Pass - The Big Picture
Architecture Review
Questions to answer:
- [ ] Does this change make sense architecturally?
- [ ] Is it in the right place?
- [ ] Does it follow existing patterns?
- [ ] Is it the right level of abstraction?
- [ ] Does it introduce new dependencies? Are they justified?
Scope Check
- [ ] Does this do one thing? (single responsibility)
- [ ] Could this be smaller?
- [ ] Is there scope creep from the original issue?
- [ ] Are there unrelated changes mixed in?
Design Decisions
- [ ] What design decisions were made?
- [ ] Do I agree with them?
- [ ] Are there alternatives that should be considered?
Phase 3: Second Pass - Line by Line
Bug Hunting Checklist
Logic Errors
- [ ] Off-by-one errors (loops, arrays, ranges)
- [ ] Null/undefined handling
- [ ] Edge cases (empty, zero, negative, max values)
- [ ] Race conditions (async operations)
- [ ] Error handling (what if this fails?)
Security Issues
- [ ] SQL injection (raw queries, string interpolation)
- [ ] XSS (unsanitized user input in HTML)
- [ ] Auth/authz (permission checks)
- [ ] Sensitive data exposure (logs, errors, responses)
- [ ] Input validation (trusting client data)
Performance Issues
- [ ] N+1 queries (loops with DB calls)
- [ ] Missing indexes (new query patterns)
- [ ] Memory leaks (listeners not cleaned up)
- [ ] Expensive operations in hot paths
- [ ] Large payloads (overfetching data)
Maintainability Issues
- [ ] Hard-to-read code (needs refactor or comments)
- [ ] Magic numbers/strings (should be constants)
- [ ] Copy-paste code (should be extracted)
- [ ] Missing tests for complex logic
- [ ] Unclear naming
Phase 4: Detailed Review Notes
Finding Template
## [Severity]: [Short Description]
**File**: `path/to/file.ts:123`
**Code**:
\`\`\`typescript
// Current
problematic code here
\`\`\`
**Issue**: [What's wrong]
**Suggestion**:
\`\`\`typescript
// Suggested
better code here
\`\`\`
**Why**: [Explanation of the improvement]
Severity Levels
| Level | Meaning | Blocks Merge? | |-------|---------|---------------| | BLOCKER | Bug, security issue, will break prod | Yes | | MAJOR | Significant issue, should fix | Probably | | MINOR | Improvement opportunity | No | | NIT | Style preference, take it or leave it | No | | QUESTION | Clarification needed | Maybe | | PRAISE | This is good, keep it up! | No |
Phase 5: Security Deep Dive
OWASP Quick Check
[ ] A01: Broken Access Control
- Are permissions checked?
- Can users access others' data?
[ ] A02: Cryptographic Failures
- Is sensitive data encrypted?
- Are secrets hardcoded?
[ ] A03: Injection
- SQL injection via user input?
- Command injection?
- Template injection?
[ ] A04: Insecure Design
- Is the design fundamentally secure?
[ ] A05: Security Misconfiguration
- Debug mode disabled?
- Default credentials removed?
[ ] A06: Vulnerable Components
- Are dependencies up to date?
- Any known vulnerabilities?
[ ] A07: Auth Failures
- Proper password handling?
- Session management secure?
[ ] A08: Data Integrity Failures
- Is input validated?
- Is data sanitized?
[ ] A09: Logging Failures
- Are security events logged?
- Are logs protected from injection?
[ ] A10: SSRF
- Does user input control URLs?
- Are internal endpoints protected?
Phase 5b: Rust/Tauri Deep Dive
If reviewing Rust or Tauri code, add these checks:
Rust-Specific
[ ] Memory Safety
- Any unsafe blocks? Are they justified?
- Proper lifetime annotations?
- No use-after-free patterns?
[ ] Error Handling
- Using Result<T, E> properly?
- No unwrap() in production paths?
- Errors propagated with context (anyhow/thiserror)?
[ ] Concurrency
- Arc/Mutex used correctly?
- No deadlock potential?
- Async boundaries clear?
[ ] Performance
- Unnecessary clones?
- Large structs passed by value?
- Allocations in hot loops?
Tauri-Specific
[ ] IPC Security
- Commands properly scoped?
- Input validated before Rust processing?
- No path traversal in file operations?
[ ] Frontend-Backend Contract
- TypeScript types match Rust structs?
- Serialization/deserialization tested?
- Error responses handled in frontend?
[ ] Permissions
- Capabilities properly configured?
- No overly permissive allowlists?
- File system access scoped correctly?
[ ] State Management
- Tauri state thread-safe?
- No race conditions between commands?
- State properly initialized?
Phase 6: Testing Review
Test Coverage
- [ ] Are there tests for this change?
- [ ] Do tests cover the happy path?
- [ ] Do tests cover edge cases?
- [ ] Do tests cover error conditions?
- [ ] Are tests actually testing behavior (not implementation)?
Test Quality
- [ ] Are tests readable?
- [ ] Do tests have good names describing behavior?
- [ ] Are tests independent (no shared state)?
- [ ] Do tests fail for the right reasons?
Missing Tests
## Missing Test Coverage
- [ ] Test for [scenario]: When [input], expect [output]
- [ ] Test for [edge case]: When [condition], expect [behavior]
- [ ] Test for [error]: When [failure], expect [handling]
Phase 7: Review Summary
Review Output
┌─────────────────────────────────────────────────────────────┐
│ REVIEW SUMMARY: [PR/Change Description] │
├─────────────────────────────────────────────────────────────┤
│ Verdict: APPROVE / REQUEST CHANGES / NEEDS DISCUSSION │
├─────────────────────────────────────────────────────────────┤
│ Stats: │
│ • Blockers: [count] │
│ • Major: [count] │
│ • Minor: [count] │
│ • Nits: [count] │
│ • Praise: [count] │
├─────────────────────────────────────────────────────────────┤
│ Top Issues: │
│ 1. [Most important issue] │
│ 2. [Second most important] │
│ 3. [Third most important] │
├─────────────────────────────────────────────────────────────┤
│ What's Good: │
│ • [Positive observation] │
│ • [Another positive] │
└─────────────────────────────────────────────────────────────┘
For GitHub PR Comment
## Review Summary
**Verdict**: [APPROVE / REQUEST CHANGES]
### Blockers (must fix)
- [ ] [Issue 1]
- [ ] [Issue 2]
### Should Fix
- [ ] [Issue 3]
- [ ] [Issue 4]
### Consider
- [ ] [Suggestion 1]
- [ ] [Suggestion 2]
### What's Good
- [Positive feedback]
---
*Reviewed with `/review` skill*
Self-Review Mode
When reviewing your own code before submitting:
┌─────────────────────────────────────────────────────────────┐
│ SELF-REVIEW CHECKLIST │
├─────────────────────────────────────────────────────────────┤
│ Before requesting review: │
│ [ ] I've run the tests locally │
│ [ ] I've tested the change manually │
│ [ ] I've reviewed my own diff line by line │
│ [ ] I've removed debug code and console.logs │
│ [ ] I've added/updated tests │
│ [ ] I've updated documentation if needed │
│ [ ] The PR description explains the what and why │
│ [ ] I've linked the related issue │
│ [ ] I'm not embarrassed by any of this code │
└─────────────────────────────────────────────────────────────┘
Anti-Patterns
- Nitpicking style while missing bugs
- "LGTM" without actually reviewing
- Reviewing without understanding context
- Being harsh or condescending
- Blocking on personal preferences
- Not acknowledging good work
- Reviewing too much at once (fatigue)
Output
- Review context and scope
- Architecture assessment
- Detailed findings by severity
- Security checklist results
- Testing coverage assessment
- Review summary with verdict
- GitHub-ready comment (if PR)
Related Skills
ComputerConnection/zach
data-ai
VerifiedTrustedCommunity
Inject Zach's full identity, business context, and working preferences. Use at session start to eliminate cold starts. Lightweight context load — not a full agent like Vision, just who Zach is and how to work with him.
SKILL.mdUpdated Apr 22, 2026
ComputerConnection/skills/vision
tools
VerifiedTrustedCommunity
--- name: vision description: "Zach's personal AI — his Jarvis. NOT a store agent. This is the owner's private command center that sits above everything else. Handles anything Zach needs — business, personal, technical, strategic, creative. High-systems AI: precise, anticipatory, authoritative. Invoke for ANY task." context: fork allowed-tools: Read, Grep, Glob, Bash, Edit, Write, Task, TodoWrite argument-hint: [what-do-you-need] — freeform. Vision figures out the rest. --- # VISION — Zach's Ja
SKILL.mdUpdated Apr 22, 2026
ComputerConnection/tauri
development
VerifiedTrustedCommunity
Tauri-specific development patterns for NEXUS. Use when building desktop app features, handling IPC, or working with Rust backend.
SKILL.mdUpdated Apr 22, 2026
ComputerConnection/store-sop
development
VerifiedTrustedCommunity
Document Computer Connection store processes in AI-queryable format. Use to capture SOPs for the store AI server POC.
SKILL.mdUpdated Apr 22, 2026