a-pavithraa/code-reviewer
plugins/springboot-architecture/skills/code-reviewer/SKILL.md
Reviews Java 25 and Spring Boot 4 codebases, pull requests, files, and modules for migration risks, architecture boundary violations, JSpecify null-safety issues, security flaws, performance regressions, and Spring Data pitfalls. Use when the task is a concrete Java or Spring code review with code context. Do not use for Kotlin-only code, non-Spring frameworks, or generic review advice without files or diffs.
$ install --global
skillsauthnpx skillsauth add a-pavithraa/springboot-skills-marketplace code-reviewerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 1:02 PM136.7s9 files scanned
SKILL.md
- name:
- code-reviewer
- description:
- Reviews Java 25 and Spring Boot 4 codebases, pull requests, files, and modules for migration risks, architecture boundary violations, JSpecify null-safety issues, security flaws, performance regressions, and Spring Data pitfalls. Use when the task is a concrete Java or Spring code review with code context. Do not use for Kotlin-only code, non-Spring frameworks, or generic review advice without files or diffs.
Java 25 and Spring Boot 4 Reviewer
Purpose
Use this skill to run a structured review of Java 25 and Spring Boot 4 code. Keep findings grounded in the actual codebase and use the reference files only for the focus areas that apply.
Critical rules
- Never review without code context. Ask for files, diffs, or the relevant module if none is provided.
- Always cite file paths and line numbers for findings.
- Treat Java 25 and Spring Boot 4 as the target baseline unless the build files show otherwise.
- Analyze workload before recommending virtual threads, reactive rewrites, or architecture changes.
- Use JSpecify as the preferred null-safety baseline for new Boot 4 code, but confirm whether the codebase is still in transition before flagging every legacy annotation.
- Prefer official Spring and Java guidance when a claim depends on framework behavior.
Workflow
Step 1: Confirm scope
Collect the minimum context required to review accurately:
- Scope: single file, module, PR, or full codebase.
- Target versions: confirm Java and Spring Boot versions from the build files when relevant.
- Focus areas: migration, architecture, data access, security, performance, null-safety, or all.
- Testing context: whether the user expects review findings only or also fix suggestions and test impact.
Step 2: Load only the references that match the review
Load references just in time:
| Focus | Read |
|------|------|
| Spring Boot 4 migration patterns and framework deltas | references/spring-boot-4-patterns.md |
| Java 25 language and concurrency adoption | references/java-25-features.md |
| Security review | references/security-checklist.md |
| Performance review | references/performance-patterns.md |
| Architecture boundaries and packaging | references/architecture-patterns.md |
| Domain model shape | references/domain-modeling.md |
| Value-object-heavy designs | references/value-objects-patterns.md |
| Null-safety checks | references/jspecify-null-safety.md |
Escalate to another skill when needed:
- Use
spring-data-jpafor deep repository, query, and relationship work. - Use
springboot-migrationfor phased upgrade planning or upgrade execution.
Step 3: Run the review passes
Run only the passes that match the request. For a full review, use this order.
Pass A: Build and configuration
- Verify Java and Spring Boot versions in
pom.xmlorbuild.gradle. - Check starter names and migration leftovers.
- Scan for Jackson 3 migration issues, outdated test annotations, and version drift.
Pass B: API correctness
- Check controller and service boundaries.
- Check validation and error handling.
- Check nullability in public APIs and method overrides.
Pass C: Architecture and packaging
- Identify the architecture style in use.
- Verify package structure is consistent with that style.
- Flag boundary leaks such as controller-to-repository shortcuts or infrastructure types in domain code.
Pass D: Data access
- Check repository placement and aggregate boundaries.
- Check for N+1 queries, missing pagination, projection mismatches, and transaction misuse.
Pass E: Security
- Check authentication and authorization.
- Check input validation and unsafe query patterns.
- Check secrets handling and sensitive logging.
Pass F: Performance and resilience
- Check caching strategy, unbounded reads, async usage, and remote call behavior.
- Evaluate virtual-thread usage only when the code and workload justify it.
- Check timeouts, retries, and connection-pool assumptions.
Quick triggers for findings
Use these as review prompts, not as a substitute for code evidence.
Spring Boot 4 and migration
- old starter names
- old Mockito test annotations
- Jackson 2 assumptions in a Boot 4 codebase
TestRestTemplateusage instead ofRestTestClient- manual
HttpServiceProxyFactoryboilerplate instead of@ImportHttpServices - custom API versioning instead of native
spring.mvc.apiversion.* @ConcurrencyLimitor native@Retryablewithout@EnableResilientMethods
Null-safety
- missing
package-info.javawhere the project uses JSpecify - lingering
org.springframework.langannotations in code that has already moved to JSpecify - missing copied nullability annotations on overrides
Architecture
- controllers calling repositories directly
- JPA entities exposed in APIs
- modulith boundary leaks
- business logic concentrated in controllers
Performance
- entity traversal in loops
- missing pagination
- projection opportunities ignored on read-heavy paths
- virtual-thread recommendations with no workload evidence
Security
- missing authorization on privileged actions
- SQL or NoSQL injection risk
- secrets in source or logs
- unsafe error exposure
Report format
Order findings by severity and use this template:
## Critical
- **[Category]**: Issue summary
- **File**: `path/to/File.java:123`
- **Impact**: What can fail, leak, or regress
- **Fix**: Specific change to make
## High
- ...
## Medium
- ...
## Low
- ...
If there are no findings, say so explicitly and call out any remaining blind spots such as unreviewed modules, missing tests, or unavailable runtime context.
Common review modes
Quick PR review
- Read the changed files.
- Load
references/spring-boot-4-patterns.mdandreferences/java-25-features.md. - Add
references/security-checklist.mdorreferences/performance-patterns.mdif the diff touches those areas. - Report only concrete findings with file and line references.
Security review
- Read
references/security-checklist.md. - Focus on controllers, service entry points, security configuration, and persistence boundaries.
- Report exploitability and affected entry points, not just the violated rule.
Architecture review
- Read
references/architecture-patterns.md. - Add
references/domain-modeling.mdorreferences/value-objects-patterns.mdif the code suggests a rich-domain approach. - Report boundary mismatches and coupling problems tied to the current architecture style.
Migration review
- Read
references/spring-boot-4-patterns.mdandreferences/java-25-features.md. - Focus on migration leftovers, outdated APIs, and partial adoption problems.
- Use
springboot-migrationif the user wants a phased upgrade plan rather than a review.
When not to use this skill
- Kotlin-first codebases
- Non-Spring Java frameworks such as Micronaut or Quarkus
- Generic review coaching without code context
- Frontend-only changes
Related Skills
a-pavithraa/springboot-migration
development
VerifiedTrustedCommunity
Migrates Spring Boot applications to Boot 4 with Java 25, including related Spring Modulith 2 and Testcontainers 2 upgrade work. Use when the task is a concrete upgrade, dependency transition, starter rename, test-annotation migration, or phased migration plan. Do not use for greenfield project creation or for isolated repository design questions.
30SKILL.mdUpdated Apr 25, 2026
a-pavithraa/spring-data-jpa
development
VerifiedTrustedCommunity
Designs and implements Spring Data JPA repositories, projections, query patterns, custom repositories, CQRS read models, entity relationships, and persistence performance fixes for Java 25 and Spring Boot 4 projects. Use when the task needs repository-boundary decisions or concrete JPA implementation patterns from this skill. Do not use for generic SQL help or project-wide migration work that belongs in another skill.
30SKILL.mdUpdated Apr 25, 2026
a-pavithraa/creating-springboot-projects
development
VerifiedTrustedCommunity
Creates Java 25 and Spring Boot 4 project structures, scaffolds, and implementation starting points for new services, REST APIs, and modular backends. Use when the task is to initialize a Spring Boot project, choose an architecture, select Spring Boot 4 features, or apply the bundled templates and references in this skill. Do not use for migrating existing projects or for isolated JPA/repository work without broader project-creation context.
30SKILL.mdUpdated Apr 25, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026