aiskillstore/code-review
skills/cain96/code-review/SKILL.md
Automated code review analyzing security, performance, maintainability, and test coverage. Activated during code reviews or when conducting analysis.
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 31, 2026, 2:17 PM81.9s2 files scanned
SKILL.md
- name:
- code-review
- description:
- Automated code review analyzing security, performance, maintainability, and test coverage. Activated during code reviews or when conducting analysis.
- allowed-tools:
- ['Read', 'Grep', 'Glob']
AI-Powered Code Review Engine
This skill provides comprehensive automated code review with focus on security, performance, maintainability, and test coverage.
🔍 Review Categories
1. Security Analysis
Check for:
- Authentication/authorization vulnerabilities
- SQL injection risks
- XSS (Cross-Site Scripting) vulnerabilities
- Hardcoded secrets or API keys
- Insecure dependencies
- CSRF protection
- Input validation gaps
- Sensitive data exposure
Common Vulnerabilities:
// ❌ SQL Injection risk
const query = `SELECT * FROM users WHERE id = ${userId}`;
// ✅ Use parameterized queries
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
// ❌ XSS vulnerability
element.innerHTML = userInput;
// ✅ Sanitize input
element.textContent = userInput;
// or use a sanitization library
// ❌ Hardcoded secret
const API_KEY = "sk_live_abc123xyz789";
// ✅ Use environment variables
const API_KEY = process.env.API_KEY;
2. Performance Analysis
Check for:
- N+1 query problems
- Inefficient algorithms (O(n²) when O(n) possible)
- Unnecessary re-renders (React)
- Memory leaks
- Blocking operations
- Large bundle sizes
- Unoptimized images
- Missing caching opportunities
Common Issues:
// ❌ N+1 query problem
for (const user of users) {
const posts = await db.query('SELECT * FROM posts WHERE user_id = ?', [user.id]);
}
// ✅ Single query with JOIN
const usersWithPosts = await db.query(`
SELECT users.*, posts.*
FROM users
LEFT JOIN posts ON users.id = posts.user_id
`);
// ❌ Unnecessary re-renders
function Component({ data }) {
const processedData = expensiveOperation(data); // Runs every render
return <div>{processedData}</div>;
}
// ✅ Memoization
function Component({ data }) {
const processedData = useMemo(() => expensiveOperation(data), [data]);
return <div>{processedData}</div>;
}
3. Maintainability Analysis
Check for:
- Code complexity (cyclomatic complexity)
- Long functions (> 50 lines)
- Deeply nested code (> 3 levels)
- Duplicate code
- Unclear variable names
- Missing documentation
- Inconsistent coding style
- God objects/classes
Metrics:
// ❌ High complexity (complexity: 10+)
function processOrder(order) {
if (order.type === 'standard') {
if (order.amount > 100) {
if (order.customer.isPremium) {
if (order.items.length > 5) {
// Deep nesting continues...
}
}
}
}
}
// ✅ Refactored (complexity: 3)
function processOrder(order) {
if (!isProcessable(order)) {
return handleInvalidOrder(order);
}
const discount = calculateDiscount(order);
return applyDiscount(order, discount);
}
function isProcessable(order) {
return order.type === 'standard' && order.amount > 0;
}
4. Test Coverage Analysis
Check for:
- Overall coverage percentage
- Uncovered critical paths
- Missing edge case tests
- Flaky tests
- Slow tests
- Test quality (assertions vs test length)
Coverage Goals:
- Critical code (auth, payment): 95%+
- Business logic: 80%+
- Utilities: 70%+
- UI components: 60%+
📊 Review Output Format
🔍 Code Analysis Results
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📈 Performance
✅ 3 optimization opportunities found
- UsersList component: Recommend React.memo (line 45)
- API call results: Add caching (line 128)
- Array operations: Parallelize with Promise.all (line 201)
🔒 Security
✅ No critical issues detected
⚠️ 1 warning
- Input validation: Add sanitization for user-generated content (line 89)
🛠️ Maintainability
⚠️ 2 method extractions recommended
- validateUserInput: Complexity 15 → recommend <10 (line 156)
- processPaymentData: Length 120 lines → recommend <50 (line 234)
✅ Test Coverage
📊 85% (target: 90%)
- Add 3 error handling test cases
- Test invalid email format (auth.test.ts)
- Test network timeout (api.test.ts)
- Test concurrent updates (user.test.ts)
- Add 2 edge case tests
- Test empty array input (utils.test.ts)
- Test boundary values (validation.test.ts)
📚 Documentation
⚠️ 2 functions missing proper documentation
- calculateTotalPrice(): Add JSDoc (line 45)
- formatUserData(): Missing parameter descriptions (line 123)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Priority: 🔴 1 Critical, 🟡 5 High, 🟢 8 Medium
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 Automated Checks
Execute during review:
- Lint errors - Check for code style violations
- Type safety - Verify TypeScript strict mode compliance
- Test execution - Ensure all tests pass
- Code coverage - Check coverage thresholds
- Security scan - Run security vulnerability checks
- Performance profiling - Identify slow operations
# Automated checks script
pnpm run lint
pnpm tsc --noEmit
pnpm test -- --coverage
pnpm audit
💡 Suggestion Priority
🔴 Critical (Fix Immediately)
- Security vulnerabilities
- Data loss risks
- Production crashes
- Breaking changes without migration
🟡 High (Fix Before Merge)
- Performance issues (>100ms operations)
- Memory leaks
- Incorrect business logic
- Missing error handling
🟢 Medium (Address Soon)
- Code complexity issues
- Missing documentation
- Test coverage gaps
- Minor performance optimizations
🔵 Low (Nice to Have)
- Style improvements
- Variable naming suggestions
- Additional abstractions
- Micro-optimizations
📋 Review Checklist
Code Quality
- [ ] Functions are small and focused (<50 lines)
- [ ] Variable names are clear and descriptive
- [ ] No magic numbers (use named constants)
- [ ] No commented-out code
- [ ] Consistent code style
- [ ] DRY principle followed
Security
- [ ] Input validation implemented
- [ ] Output encoding/escaping applied
- [ ] Authentication checked for protected routes
- [ ] Authorization verified for sensitive operations
- [ ] No hardcoded credentials
- [ ] Dependencies are up-to-date and secure
Performance
- [ ] No N+1 queries
- [ ] Efficient algorithms used
- [ ] Caching implemented where appropriate
- [ ] Database queries optimized
- [ ] Lazy loading considered
- [ ] No memory leaks
Testing
- [ ] Unit tests written for new code
- [ ] Edge cases covered
- [ ] Integration tests for critical paths
- [ ] Tests are fast (<100ms each)
- [ ] Tests are deterministic (no flaky tests)
- [ ] Mocks used appropriately
Documentation
- [ ] Public APIs documented
- [ ] Complex logic explained
- [ ] README updated if needed
- [ ] Examples provided
- [ ] Breaking changes noted
🚀 Review Workflow
1. Automated Analysis
# Run automated checks
pnpm run lint
pnpm tsc --noEmit
pnpm test -- --coverage
pnpm audit
# Generate coverage report
pnpm test -- --coverage --coverageReporters=html
# Check bundle size
pnpm run build
pnpm run analyze
2. Manual Review
Focus on:
- Business logic correctness
- Architecture decisions
- API design
- User experience
- Edge cases
3. Provide Feedback
Structure feedback:
## Review Comments
### 🔴 Critical Issues
1. **Security**: SQL injection vulnerability in user search (line 45)
- Use parameterized queries
- Add input validation
### 🟡 High Priority
1. **Performance**: N+1 query in getUserPosts (line 123)
- Recommend eager loading with JOIN
- Estimated improvement: 80% faster
### 🟢 Suggestions
1. **Maintainability**: Extract validation logic (line 200)
- Create separate validator function
- Improves testability
### ✅ Positive Feedback
- Clean error handling implementation
- Good test coverage for new features
- Clear commit messages
🔍 Code Smell Detection
Common Code Smells
Long Method (>50 lines):
// Smell: Method too long
function processOrder(order) {
// 100+ lines of code
}
// Fix: Extract smaller functions
function processOrder(order) {
validateOrder(order);
calculateTotal(order);
applyDiscounts(order);
finalizeOrder(order);
}
Large Class (>300 lines):
// Smell: God object
class UserManager {
// 500+ lines handling everything
}
// Fix: Split responsibilities
class UserAuthenticator { }
class UserProfileManager { }
class UserNotificationService { }
Duplicate Code:
// Smell: Copy-paste code
function calculatePriceA(items) {
let total = 0;
for (const item of items) {
total += item.price * item.quantity;
}
return total * 1.1; // tax
}
function calculatePriceB(products) {
let sum = 0;
for (const product of products) {
sum += product.price * product.quantity;
}
return sum * 1.1; // tax
}
// Fix: Extract common logic
function calculateSubtotal(items) {
return items.reduce((sum, item) => sum + item.price * item.quantity, 0);
}
function applyTax(amount) {
return amount * 1.1;
}
function calculatePrice(items) {
return applyTax(calculateSubtotal(items));
}
💎 Best Practices
- Be constructive - Suggest improvements, don't just criticize
- Explain why - Provide context for suggestions
- Prioritize issues - Use severity levels
- Acknowledge good code - Positive feedback is important
- Ask questions - Seek clarification before assumptions
- Provide examples - Show better alternatives
- Be timely - Review promptly
- Be respectful - Remember there's a person behind the code
🎓 Resources
- OWASP Top 10
- Clean Code Principles
- React Performance Optimization
- TypeScript Best Practices
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026