akaszubski/code-review
plugins/autonomous-dev/skills/code-review/SKILL.md
10-point code review checklist covering correctness, tests, error handling, type hints, naming, security, and performance. Use when reviewing PRs or evaluating code quality. TRIGGER when: code review, PR review, review checklist, code quality check. DO NOT TRIGGER when: writing new code, debugging, refactoring without review context.
$ install --global
skillsauthnpx skillsauth add akaszubski/autonomous-dev code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 8:43 AM5.0s1 file scanned
SKILL.md
- name:
- code-review
- description:
- 10-point code review checklist covering correctness, tests, error handling, type hints, naming, security, and performance. Use when reviewing PRs or evaluating code quality. TRIGGER when: code review, PR review, review checklist, code quality check. DO NOT TRIGGER when: writing new code, debugging, refactoring without review context.
- allowed-tools:
- [Read, Grep, Glob, Bash]
Code Review Enforcement Skill
Ensures every code review is thorough, consistent, and produces actionable feedback. Used by the reviewer agent.
10-Point Review Checklist
Every review MUST evaluate all 10 items. No shortcuts.
1. Correctness
- Does the code do what the ticket/plan requires?
- Are edge cases handled (empty input, None, boundary values)?
- Are return types consistent with declarations?
2. Test Coverage
- Do tests exist for new/changed code?
- Do ALL tests pass (100%, not "most")?
- Are edge cases and error paths tested?
3. Error Handling
- Are exceptions specific (not bare
except:)? - Do error messages include context (what failed, what was expected)?
- Is there graceful degradation where appropriate?
4. Type Hints on Public APIs
- All public functions have parameter and return type annotations?
- Complex types use
Optional,Union,List,Dictcorrectly?
5. Naming Conventions
- Variables/functions:
snake_case - Classes:
PascalCase - Constants:
UPPER_SNAKE_CASE - Names are descriptive (no single-letter except loop vars)
6. Security
- No hardcoded secrets, API keys, or passwords
- No bare
except:that swallows errors silently - SQL queries use parameterized statements
- User input is validated before use
7. Style Compliance
- Code is formatted with black (100 char line length)
- Imports sorted with isort
- No unused imports or variables
8. Documentation
- Public APIs have Google-style docstrings
- Complex logic has inline comments
- Examples provided for non-obvious usage
9. No Stubs or Placeholders
- No
NotImplementedErrorin shipped code - No
passas the sole body of a function - No
TODOwithout a linked issue number
10. No Unnecessary Complexity
- No premature abstraction
- No dead code paths
- Functions do one thing
- Nesting depth <= 3 levels
Severity Levels
BLOCKING (must fix before approval)
- Failing tests
- Security vulnerabilities (hardcoded secrets, SQL injection)
- Missing error handling on external calls
- Stubbed/placeholder code
- Incorrect logic or data loss risk
ADVISORY (prefix with "Nit:")
- Style preferences beyond black/isort
- Alternative naming suggestions
- Minor documentation improvements
- Performance micro-optimizations
HARD GATE: Required Output
Every review MUST conclude with exactly one of:
- APPROVED — all 10 checklist items pass, no BLOCKING issues
- REQUEST_CHANGES — at least one BLOCKING issue found
FORBIDDEN:
- Saying "looks good" without running the full checklist
- Approving code with failing tests
- Approving stubbed or placeholder code
- Approving without checking security items (checklist #6)
- Mixing BLOCKING and ADVISORY without clear labels
- Rubber-stamping: approving in under 30 seconds of analysis
REQUIRED:
- Per-file summary with specific line references for each finding
- Explicit pass/fail on each of the 10 checklist items
- Test results included from STEP 8 artifact provided in context — do NOT re-run pytest
- Security checklist explicitly addressed
- BLOCKING vs ADVISORY clearly labeled on every finding
Required Output Format
## Review: [file or PR title]
### Checklist
1. Correctness: PASS/FAIL — [details]
2. Test Coverage: PASS/FAIL — [details]
3. Error Handling: PASS/FAIL — [details]
4. Type Hints: PASS/FAIL — [details]
5. Naming: PASS/FAIL — [details]
6. Security: PASS/FAIL — [details]
7. Style: PASS/FAIL — [details]
8. Documentation: PASS/FAIL — [details]
9. No Stubs: PASS/FAIL — [details]
10. Complexity: PASS/FAIL — [details]
### Findings
- [BLOCKING] file.py:42 — description
- [Nit:] file.py:88 — suggestion
### Test Results
[from STEP 8 artifact provided in context — do NOT re-run pytest]
### Verdict: APPROVED / REQUEST_CHANGES
Anti-Patterns
BAD: Rubber-stamp approval
"Looks good to me, ship it!"
Missing: checklist, line references, test results, security review.
GOOD: Structured review
## Review: lib/auth.py
### Checklist
1. Correctness: PASS — token validation logic matches RFC 7519
2. Test Coverage: PASS — 12 tests, all pass, covers expiry edge case
...
6. Security: FAIL — API key on line 34 is hardcoded
### Findings
- [BLOCKING] auth.py:34 — Hardcoded API key, move to env var
### Verdict: REQUEST_CHANGES
BAD: Nitpicking style, missing logic bugs
Spending 10 comments on variable naming while an off-by-one error goes unnoticed.
BAD: "Will fix later" acceptance
Approving with known BLOCKING issues and a verbal promise to fix. If it is BLOCKING, it blocks.
Cross-References
- python-standards: Style and type hint requirements
- testing-guide: Test coverage expectations
- security-patterns: Security checklist details
Related Skills
akaszubski/content-allocation
development
VerifiedTrustedCommunity
One topic, one home. Routes content to its canonical store (CLAUDE.md, PROJECT.md, MEMORY.md, docs/, memory/) and audits for duplication. TRIGGER when: auditing CLAUDE.md/PROJECT.md/MEMORY.md sizes, deduplicating docs, applying the content-allocation pattern to a new repo, running /align --content. DO NOT TRIGGER when: implementing features, writing tests, routine code edits, debugging.
28SKILL.mdUpdated May 28, 2026
akaszubski/testing-guide
development
VerifiedTrustedCommunity
GenAI-first testing with structural assertions, congruence validation, and tier-based test structure. Use when writing tests, setting up test infrastructure, or validating coverage. TRIGGER when: test, pytest, coverage, TDD, test patterns, congruence, validation. DO NOT TRIGGER when: production code implementation, documentation, config-only changes.
28SKILL.mdUpdated Apr 3, 2026
akaszubski/prompt-engineering
testing
VerifiedTrustedCommunity
Prompt engineering patterns for writing agent prompts and skill files — constraint budgets, register shifting, HARD GATE patterns, anti-personas. Use when writing or reviewing agents/*.md or skills/*/SKILL.md. TRIGGER when: agent prompt, skill file, prompt engineering, model-tier compensation, HARD GATE, prompt quality. DO NOT TRIGGER when: user-facing docs, README, CHANGELOG, config files.
21SKILL.mdUpdated Apr 15, 2026
akaszubski/planning-workflow
testing
VerifiedTrustedCommunity
7-step planning workflow for pre-implementation design. Enforced by plan_gate hook, critiqued by plan-critic agent. Use when creating plans, design documents, or architecture decisions before implementation. TRIGGER when: plan, planning, /plan, design document, architecture decision. DO NOT TRIGGER when: implementation, coding, testing.
21SKILL.mdUpdated Apr 15, 2026