avav25/code-review
.agents/skills/code-review/SKILL.md
Structured code review with security, performance, and architecture checklists. Use when reviewing pull requests, code changes, or conducting architecture reviews. Provides actionable checklists for consistent review quality.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add avav25/ai-assets code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:49 PM1.8s1 file scanned
SKILL.md
- name:
- code-review
- description:
- Structured code review with security, performance, and architecture checklists. Use when reviewing pull requests, code changes, or conducting architecture reviews. Provides actionable checklists for consistent review quality.
- user-invocable:
- true
Code Review
Systematic code review skill with layered checklists. Produces consistent, actionable feedback across all review types.
When to Use
- Reviewing pull requests or merge requests
- Conducting architecture reviews
- Auditing code for security, performance, or quality
- Pre-merge quality gates
When NOT to Use
- Writing new code (use
/feature-devor/bugfixinstead) - Validating AI asset files (use
asset-validationskill) - Running automated checks before commit (use
/pre-commit)
Review Process
0. Gather Context
Read AGENTS.md at the project root to identify:
- Tech stack (determines which language-specific patterns to check)
- Code conventions (naming, structure, formatting rules)
- Architecture patterns in use (helps evaluate structural decisions)
1. Understand the Change
Before reviewing code, answer:
- What is being changed? (feature, bugfix, refactor, dependency update)
- Why is it being changed? (linked issue, PRD, bug report)
- Scope: How many files, which modules, what's the blast radius?
2. Apply Checklists
Use the appropriate checklist(s) based on change type:
| Change Type | Checklists to Apply |
|---|---|
| New feature | review-checklist.md + security-checklist.md |
| Bug fix | review-checklist.md (focus: root cause, regression test) |
| Refactor | review-checklist.md (focus: behavior preservation, tests) |
| API change | review-checklist.md + security-checklist.md |
| Infrastructure | security-checklist.md |
| Dependencies | security-checklist.md (focus: supply chain) |
3. Provide Feedback
Structure review comments as:
## Review Summary
**Verdict**: APPROVE | REQUEST_CHANGES | COMMENT
### Critical (must fix before merge)
- [ ] [file:line] Description — why it matters
### Suggestions (should fix, not blocking)
- [ ] [file:line] Description — improvement rationale
### Nits (optional, style/preferences)
- [ ] [file:line] Description
Rules:
- Every critical finding must explain why it's a problem and how to fix it
- Link to relevant documentation or standards when applicable
- Acknowledge good patterns — reinforce what works well
- Never approve code with known critical issues
- Flag missing tests for new logic paths
Integration
- Follows rules:
Agent(software-engineer)(architecture, code quality) - Used by workflows:
/code-review,/create-pr - Companion checklists:
review-checklist.md,security-checklist.md
Related Skills
avav25/knowledge-sync
development
VerifiedTrustedCommunity
Use this skill when running the recurring (daily) knowledge-base rescan for a repo that already has knowledge/.knowledge-sync.yml — the main-thread dispatcher that reads the config, computes the git delta since last_scanned_sha, maps changed paths to affected doc areas, early-exits cheaply when nothing changed, then fans out one Agent(content-writer) per affected area, applies the propose/direct update policy, advances the baseline only on success, and writes an L4 run log — all with the G1 untrusted-content choke-point, secret-scan, deny-list, and budget controls woven in. For first-time setup use /knowledge-sync-init.
1SKILL.mdUpdated May 24, 2026
avav25/knowledge-sync-init
development
VerifiedTrustedCommunity
Use this skill when bootstrapping scheduled knowledge-base sync for a repo that has no knowledge/.knowledge-sync.yml yet — to run one-time setup that detects the knowledge_root from CLAUDE.md/AGENTS.md, maps doc areas to source globs, records opt-in external sources (Linear/Notion/WebFetch, all disabled by default), captures a baseline last_scanned_sha, sets the per-area update policy, generates or seeds knowledge/CONVENTIONS.md, provisions the L4 memory dir, and offers to register the daily routine. Routes ongoing recurring sync operations to /knowledge-sync.
1SKILL.mdUpdated May 24, 2026
avav25/ai-skills-init
tools
VerifiedTrustedCommunity
Use this skill when bootstrapping a target repository to be ai-skills-aware — on the first run of any ai-skills workflow in a fresh repo, when adopting the ai-skills plugin in an existing repo, or after upgrading to a plugin version that adds new memory paths or templates, including when the user does not say "init" but asks to "set up" or "onboard" the repo — to detect codebase type, create CLAUDE.md + AGENTS.md scaffolding, initialize the .ai-skills-memory/ directory tree from L1 templates, and configure .gitignore. Idempotent — safe to re-run. Accepts `--codebase-type <type>` and `--overwrite`. Not for re-initializing only memory — use `/memory-init` instead.
1SKILL.mdUpdated May 18, 2026
avav25/plugin-author
tools
VerifiedTrustedCommunity
Use this skill when extending, repairing, or improving plugin assets, when ingesting a `/feedback` report as a fix-cycle backlog, or when you do not remember which lower-level command is right for the job — the umbrella workflow for ai-skills plugin-asset authoring and maintenance: creating, auditing, fixing, improving, refactoring, and migrating skills, agents, rules, hooks, prompts, schemas, and rubrics inside the plugin. Auto-classifies the request, loads the right knowledge skills (`@prompt-engineering`, `@context-engineering`, `@team-protocols`), and spawns the right subagents (`prompt-engineer`, `system-architect`, `python-engineer`, `software-engineer`, `qa-engineer`, `eval-judge`) via the `Agent` tool.
1SKILL.mdUpdated May 14, 2026