edercnj/x-review-graphql
src/main/resources/targets/claude/skills/conditional/review/x-review-graphql/SKILL.md
Validates GraphQL schema design, resolver implementation, security patterns, and observability for compliance with best practices.
testing
Updated May 5, 2026
$ install --global
skillsauthnpx skillsauth add edercnj/claude-environment x-review-graphqlInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 5, 2026, 3:20 AM127.5s2 files scanned
SKILL.md
- name:
- x-review-graphql
- description:
- Validates GraphQL schema design, resolver implementation, security patterns, and observability for compliance with best practices.
- user-invocable:
- true
- allowed-tools:
- Read, Grep, Glob, Bash
- argument-hint:
- [schema-file or resolver-name]
- requires-capabilities:
- []
Global Output Policy
- Language: English ONLY.
- Tone: Technical, Direct, and Concise.
- Efficiency: Remove all conversational fillers and greetings to save tokens.
Skill: GraphQL Schema & Resolver Review
Purpose
Review GraphQL schema design, resolver implementation, security patterns, and observability for compliance with best practices including Relay Connection spec, query complexity limiting, and N+1 prevention.
Activation Condition
Include this skill when the project uses GraphQL protocol (interfaces contains type: graphql).
Triggers
/x-review-graphql schema.graphqls-- review a specific schema file/x-review-graphql TransactionResolver-- review a specific resolver/x-review-graphql-- review all GraphQL schemas and resolvers
Parameters
| Parameter | Type | Required | Default | Description |
|-----------|------|----------|---------|-------------|
| target | String | No | (all) | Schema file path or resolver class name |
Prerequisites
- GraphQL schema files (
*.graphqls,*.gql) or code-first schema definitions exist - GraphQL framework dependency is configured
- Resolver classes/functions are implemented
Workflow
Step 1 — Discover Schema Files
Scan for *.graphqls, *.gql, or code-first schema definitions:
- List all types, queries, mutations, and subscriptions
- Identify input types and custom scalars
Step 2 — Discover Resolvers
Scan for resolver classes/functions:
- Map resolvers to schema types
- Identify DataLoader usage
Step 3 — Validate Schema Design
Check each type/operation:
- Naming conventions (PascalCase types, camelCase fields, UPPER_SNAKE_CASE enums)
- Pagination patterns (Relay Connection spec)
- Mutation input/payload design
- Subscription lifecycle
Step 4 — Validate Resolver Patterns
Check implementation:
- DataLoader for N+1 prevention
- Complexity and depth limiting
- Field-level authorization
- Error handling
Step 5 — Validate Security
Check security patterns:
- Authentication on entry points
- Introspection disabled in production
- No sensitive data in errors
Step 6 — Generate Report
Summarize findings as checklist:
- List compliant items
- List violations with file paths and line numbers
- Suggest fixes for each violation
Schema Design Checklist (14 points)
Naming & Types (1-5)
- Types use PascalCase (
Transaction,PaymentMethod) - Fields use camelCase (
transactionId,createdAt) - Enums use UPPER_SNAKE_CASE (
PAYMENT_APPROVED,PAYMENT_DENIED) - Input types suffixed with
Input(CreateTransactionInput) - Mutation payloads suffixed with
Payload(CreateTransactionPayload)
Query Design (6-9)
- Cursor-based pagination for lists (Relay Connection spec:
edges,node,pageInfo,cursor) - No nested queries deeper than 4 levels without justification
- Nullable vs non-null strategy consistent (non-null by default, nullable where absence is valid)
- Custom scalars for domain types (
DateTime,Money,Email)
Mutation Design (10-12)
- Mutations accept single
inputargument (not multiple args) - Mutation payloads include both
resultanderrorsfields (union type for errors) - Idempotency key pattern for critical mutations (
clientMutationId)
Subscription Design (13-14)
- Subscriptions have clear lifecycle (start, data, complete, error)
- Subscription filters prevent over-broadcasting (topic-based filtering)
Resolver Checklist (10 points)
Performance (15-19)
- DataLoader used for batch loading (N+1 prevention)
- Complexity analysis configured (max query complexity limit)
- Depth limiting configured (max depth 10-15)
- Field-level resolvers are lazy (not pre-loading unused fields)
- Database queries scoped to requested fields only (projection)
Security (20-22)
- Authentication on schema entry points (Query, Mutation, Subscription)
- Field-level authorization for sensitive data
- Introspection disabled in production
Error Handling (23-24)
- Errors follow GraphQL spec (
errorsarray withmessage,locations,path,extensions) - Domain errors use union types or
extensions.code(not just string messages)
Observability Checklist (4 points)
- Trace spans per resolver execution
- Metrics: query complexity, execution time, error rate per operation
- Structured logging: operation name, variables (masked), duration
- No sensitive data in error messages, traces, or logs
Output Format
## GraphQL Review — [Schema/Change Description]
### Schema Quality: HIGH / MEDIUM / LOW
### Resolver Quality: HIGH / MEDIUM / LOW
### Schema Findings
1. [Finding with file, line, issue, fix]
### Resolver Findings
1. [Finding with file, line, issue, fix]
### Security Findings
1. [Finding with severity, issue, fix]
### Checklist Results
[Items that passed / failed / not applicable]
### Verdict: APPROVE / REQUEST CHANGES
Error Handling
| Scenario | Action | |----------|--------| | No GraphQL schema files found | Report INFO: no GraphQL schemas discovered | | N+1 detected without DataLoader | REQUEST CHANGES with DataLoader example | | Introspection enabled in production | REQUEST CHANGES with configuration fix |
Rules
- REQUEST CHANGES if N+1 detected without DataLoader
- REQUEST CHANGES if no query depth/complexity limiting
- REQUEST CHANGES if introspection enabled in production config
- REQUEST CHANGES if sensitive data exposed without field-level auth
- Verify pagination follows Relay Connection spec
Related Skills
edercnj/x-generate-docs
tools
VerifiedTrustedCommunity
Documentation automation v2: stack-aware generation from documentation.targets.
SKILL.mdUpdated May 17, 2026
edercnj/x-generate-ci
development
VerifiedTrustedCommunity
Generates or updates CI/CD pipelines per project stack with actionlint validation.
SKILL.mdUpdated May 17, 2026
edercnj/x-generate-adr
tools
VerifiedTrustedCommunity
Generates ADRs from architecture-plan mini-ADRs with sequential numbering and index update.
SKILL.mdUpdated May 17, 2026
edercnj/x-format-code
development
VerifiedTrustedCommunity
Formats source code; first step of the pre-commit chain (format -> lint -> compile).
SKILL.mdUpdated May 17, 2026