Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

jyjeanne/code-review

Name: code-review
Author: jyjeanne

skills/code-review/SKILL.md

npx skillsauth add jyjeanne/ai-setup-forge code-review

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Java Code Review Skill

Perform structured code reviews across five dimensions: Security, Correctness, Performance, Design, and Style. Always review in this priority order.

Review Dimensions (Priority Order)

🔴 CRITICAL — Security

Flag these immediately, block merge:

SQL Injection

// ❌ CRITICAL
String query = "SELECT * FROM users WHERE name = '" + name + "'";

// ✅ Safe
@Query("SELECT u FROM User u WHERE u.name = :name")
Optional<User> findByName(@Param("name") String name);

Sensitive Data Exposure

Passwords, tokens, secrets in logs: log.info("Password: {}", password) ❌
Sensitive fields in toString() auto-generated by Lombok ❌ (use @ToString.Exclude)
API keys or credentials hardcoded in source ❌

Missing Authorization Checks

// ❌ Any user can delete any resource
@DeleteMapping("/{id}")
public void delete(@PathVariable Long id) { ... }

// ✅ Check ownership or role
@PreAuthorize("hasRole('ADMIN') or @securityService.isOwner(#id)")
@DeleteMapping("/{id}")
public void delete(@PathVariable Long id) { ... }

Deserialization / Input Trust Issues

Deserializing user-controlled JSON into entities with sensitive fields
Missing @Valid on @RequestBody
Accepting file uploads without type/size validation

🔴 CRITICAL — Correctness

NullPointerException Risks

// ❌ Potential NPE
user.getAddress().getCity().toUpperCase();

// ✅ Safe
Optional.ofNullable(user.getAddress())
    .map(Address::getCity)
    .map(String::toUpperCase)
    .orElse("Unknown");

Transaction Boundaries

// ❌ No @Transactional on method that does multiple DB writes
public void transferFunds(Long fromId, Long toId, BigDecimal amount) {
    accountRepo.debit(fromId, amount);
    accountRepo.credit(toId, amount); // if this fails, money is lost
}

// ✅
@Transactional
public void transferFunds(...) { ... }

Entity Mutability in Collections

Returning mutable internal collections from entities — caller can modify state
Lazy loading outside transaction scope → LazyInitializationException

Equals/HashCode on JPA Entities

Never use Lombok @EqualsAndHashCode on @Entity with all fields
Use only id field for entity equality

🟡 IMPORTANT — Performance

N+1 Query Problem

// ❌ N+1: one query per user's orders
users.forEach(u -> System.out.println(u.getOrders().size()));

// ✅ Fetch join
@Query("SELECT u FROM User u LEFT JOIN FETCH u.orders WHERE u.id IN :ids")
List<User> findAllWithOrders(@Param("ids") List<Long> ids);

Missing Pagination

Any endpoint returning a potentially unbounded list without Pageable ❌

Unnecessary DB Calls

// ❌ Loads full entity just to check existence
if (userRepository.findById(id).isPresent()) { ... }

// ✅
if (userRepository.existsById(id)) { ... }

Stream vs Collection Choice

Using .collect(Collectors.toList()) then immediately streaming again
Using parallel streams without understanding thread-safety implications

🟡 IMPORTANT — Design

Single Responsibility Violation

Service class doing HTTP calls, DB access, business logic, AND email sending
Controller containing business logic

Hardcoded Values

// ❌
if (user.getAge() > 18) { ... }
Thread.sleep(5000);

// ✅
if (user.getAge() > legalAgeRequirement) { ... }
@Value("${app.retry.delay-ms}") private int retryDelayMs;

Magic String / Status Checks

// ❌
if ("ACTIVE".equals(user.getStatus())) { ... }

// ✅
if (UserStatus.ACTIVE == user.getStatus()) { ... }

Tight Coupling

new ConcreteService() instead of injected interface
Static utility class calls that can't be mocked in tests

🟢 STYLE — Code Quality

Naming

Method names should be verbs: calculateTotal(), not total()
Boolean methods: isActive(), hasPermission(), canDelete()
Avoid abbreviations: usr, svc, mgr

Method Length

Flag methods > 20 lines for Extract Method refactoring

Commented-Out Code

Remove all commented-out code before merging (use git history)

Logging Practices

// ❌ String concatenation in log
log.debug("Processing user " + userId + " with status " + status);

// ✅ Parameterized
log.debug("Processing user {} with status {}", userId, status);

Review Output Format

Structure your review as:

## Code Review Summary

### 🔴 Critical Issues (must fix)
- [Issue]: [Explanation] → [Fix]

### 🟡 Important Issues (should fix)
- [Issue]: [Explanation] → [Fix]

### 🟢 Suggestions (nice to have)
- [Suggestion]: [Explanation]

### ✅ What's Done Well
- [Positive observations]

### Overall Assessment
[Production-ready | Needs minor changes | Needs significant work]

Quick Checklist

[ ] No SQL injection or hardcoded credentials
[ ] Sensitive fields excluded from logs and toString
[ ] @Valid on all @RequestBody parameters
[ ] @Transactional on multi-step write operations
[ ] No N+1 query patterns
[ ] Pagination on collection endpoints
[ ] Custom exceptions with meaningful messages
[ ] No raw RuntimeException or Exception catches
[ ] No commented-out code
[ ] No System.out.println in production code

jyjeanne/code-review

skills/code-review/SKILL.md

Perform thorough code reviews of Java/Spring Boot code covering security, performance, correctness, design, and style. Use this skill whenever the user asks for a code review, wants feedback on their code, shares code for evaluation, or says things like "review this code", "what's wrong with this", "can you check this class", "PR review", "give me feedback on this implementation", "is this code production-ready". Always use this skill as the framework for reviewing any Java or Spring Boot code — it ensures no critical category is missed.

1 stars

development

Updated Apr 6, 2026

$ install --global

skillsauth

npx skillsauth add jyjeanne/ai-setup-forge code-review

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 6, 2026, 11:28 AM46.8s1 file scanned

SKILL.md

name:: code-review
description:: Perform thorough code reviews of Java/Spring Boot code covering security, performance, correctness, design, and style. Use this skill whenever the user asks for a code review, wants feedback on their code, shares code for evaluation, or says things like "review this code", "what's wrong with this", "can you check this class", "PR review", "give me feedback on this implementation", "is this code production-ready". Always use this skill as the framework for reviewing any Java or Spring Boot code — it ensures no critical category is missed.

Java Code Review Skill

Perform structured code reviews across five dimensions: Security, Correctness, Performance, Design, and Style. Always review in this priority order.

Review Dimensions (Priority Order)

🔴 CRITICAL — Security

Flag these immediately, block merge:

SQL Injection

// ❌ CRITICAL
String query = "SELECT * FROM users WHERE name = '" + name + "'";

// ✅ Safe
@Query("SELECT u FROM User u WHERE u.name = :name")
Optional<User> findByName(@Param("name") String name);

Sensitive Data Exposure

Passwords, tokens, secrets in logs: log.info("Password: {}", password) ❌
Sensitive fields in toString() auto-generated by Lombok ❌ (use @ToString.Exclude)
API keys or credentials hardcoded in source ❌

Missing Authorization Checks

// ❌ Any user can delete any resource
@DeleteMapping("/{id}")
public void delete(@PathVariable Long id) { ... }

// ✅ Check ownership or role
@PreAuthorize("hasRole('ADMIN') or @securityService.isOwner(#id)")
@DeleteMapping("/{id}")
public void delete(@PathVariable Long id) { ... }

Deserialization / Input Trust Issues

Deserializing user-controlled JSON into entities with sensitive fields
Missing @Valid on @RequestBody
Accepting file uploads without type/size validation

🔴 CRITICAL — Correctness

NullPointerException Risks

// ❌ Potential NPE
user.getAddress().getCity().toUpperCase();

// ✅ Safe
Optional.ofNullable(user.getAddress())
    .map(Address::getCity)
    .map(String::toUpperCase)
    .orElse("Unknown");

Transaction Boundaries

// ❌ No @Transactional on method that does multiple DB writes
public void transferFunds(Long fromId, Long toId, BigDecimal amount) {
    accountRepo.debit(fromId, amount);
    accountRepo.credit(toId, amount); // if this fails, money is lost
}

// ✅
@Transactional
public void transferFunds(...) { ... }

Entity Mutability in Collections

Returning mutable internal collections from entities — caller can modify state
Lazy loading outside transaction scope → LazyInitializationException

Equals/HashCode on JPA Entities

Never use Lombok @EqualsAndHashCode on @Entity with all fields
Use only id field for entity equality

🟡 IMPORTANT — Performance

N+1 Query Problem

// ❌ N+1: one query per user's orders
users.forEach(u -> System.out.println(u.getOrders().size()));

// ✅ Fetch join
@Query("SELECT u FROM User u LEFT JOIN FETCH u.orders WHERE u.id IN :ids")
List<User> findAllWithOrders(@Param("ids") List<Long> ids);

Missing Pagination

Any endpoint returning a potentially unbounded list without Pageable ❌

Unnecessary DB Calls

// ❌ Loads full entity just to check existence
if (userRepository.findById(id).isPresent()) { ... }

// ✅
if (userRepository.existsById(id)) { ... }

Stream vs Collection Choice

Using .collect(Collectors.toList()) then immediately streaming again
Using parallel streams without understanding thread-safety implications

🟡 IMPORTANT — Design

Single Responsibility Violation

Service class doing HTTP calls, DB access, business logic, AND email sending
Controller containing business logic

Hardcoded Values

// ❌
if (user.getAge() > 18) { ... }
Thread.sleep(5000);

// ✅
if (user.getAge() > legalAgeRequirement) { ... }
@Value("${app.retry.delay-ms}") private int retryDelayMs;

Magic String / Status Checks

// ❌
if ("ACTIVE".equals(user.getStatus())) { ... }

// ✅
if (UserStatus.ACTIVE == user.getStatus()) { ... }

Tight Coupling

new ConcreteService() instead of injected interface
Static utility class calls that can't be mocked in tests

🟢 STYLE — Code Quality

Naming

Method names should be verbs: calculateTotal(), not total()
Boolean methods: isActive(), hasPermission(), canDelete()
Avoid abbreviations: usr, svc, mgr

Method Length

Flag methods > 20 lines for Extract Method refactoring

Commented-Out Code

Remove all commented-out code before merging (use git history)

Logging Practices

// ❌ String concatenation in log
log.debug("Processing user " + userId + " with status " + status);

// ✅ Parameterized
log.debug("Processing user {} with status {}", userId, status);

Review Output Format

Structure your review as:

## Code Review Summary

### 🔴 Critical Issues (must fix)
- [Issue]: [Explanation] → [Fix]

### 🟡 Important Issues (should fix)
- [Issue]: [Explanation] → [Fix]

### 🟢 Suggestions (nice to have)
- [Suggestion]: [Explanation]

### ✅ What's Done Well
- [Positive observations]

### Overall Assessment
[Production-ready | Needs minor changes | Needs significant work]

Quick Checklist

[ ] No SQL injection or hardcoded credentials
[ ] Sensitive fields excluded from logs and toString
[ ] @Valid on all @RequestBody parameters
[ ] @Transactional on multi-step write operations
[ ] No N+1 query patterns
[ ] Pagination on collection endpoints
[ ] Custom exceptions with meaningful messages
[ ] No raw RuntimeException or Exception catches
[ ] No commented-out code
[ ] No System.out.println in production code

Related Skills

jyjeanne/legacy-circuit-mockups

development

VerifiedTrustedCommunity

Generate breadboard circuit mockups and visual diagrams using HTML5 Canvas drawing techniques. Use when asked to create circuit layouts, visualize electronic component placements, draw breadboard diagrams, mockup 6502 builds, generate retro computer schematics, or design vintage electronics projects. Supports 555 timers, W65C02S microprocessors, 28C256 EEPROMs, W65C22 VIA chips, 7400-series logic gates, LEDs, resistors, capacitors, switches, buttons, crystals, and wires.

1SKILL.mdUpdated Apr 6, 2026

jyjeanne/legacy-circuit-mockups

jyjeanne/lean-ux

development

VerifiedTrustedCommunity

Apply lean thinking to UX: hypothesis-driven design, collaborative sketching, and rapid experiments instead of heavy deliverables. Use when the user mentions "Lean UX", "design hypothesis", "UX experiment", "collaborative design", or "outcome over output". Covers hypothesis statements, MVPs for UX, and cross-functional collaboration. For Build-Measure-Learn, see lean-startup. For usability audits, see ux-heuristics.

1SKILL.mdUpdated Apr 6, 2026

jyjeanne/lean-startup

development

VerifiedTrustedCommunity

Design MVPs, validated learning experiments, and pivot-or-persevere decisions using Build-Measure-Learn. Use when the user mentions "MVP scope", "validated learning", "pivot or persevere", "vanity metrics", or "test assumptions". Covers innovation accounting and actionable metrics. For 5-day prototype testing, see design-sprint. For customer motivation analysis, see jobs-to-be-done.

1SKILL.mdUpdated Apr 6, 2026

jyjeanne/lean-startup

jyjeanne/langsmith

tools

VerifiedTrustedCommunity

Instrument, trace, evaluate, and monitor LLM applications and AI agents with LangSmith. Use when setting up observability for LLM pipelines, running offline or online evaluations, managing prompts in the Prompt Hub, creating datasets for regression testing, or deploying agent servers. Triggers on: langsmith, langchain tracing, llm tracing, llm observability, llm evaluation, trace llm calls, @traceable, wrap_openai, langsmith evaluate, langsmith dataset, langsmith feedback, langsmith prompt hub, langsmith project, llm monitoring, llm debugging, llm quality, openevals, langsmith cli, langsmith experiment, annotate llm, llm judge.

1SKILL.mdUpdated Apr 6, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/jyjeanne/ai-setup-forge.git

# Copy into Claude Code skills folder (global)
cp -r ai-setup-forge/skills/code-review ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

jyjeanne/ai-setup-forge

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT