michaelalber/automated-code-review
skills/team/automated-code-review/SKILL.md
Systematic review execution engine -- transforms structured human review coaching patterns into autonomous review checklists with pass/fail gates, convention detection, and structured finding production. Use when running autonomous code reviews to ensure systematic coverage and consistent quality.
development
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit automated-code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:43 AM206.3s5 files scanned
SKILL.md
- name:
- automated-code-review
- audience:
- team
- description:
- Systematic review execution engine -- transforms structured human review coaching patterns into autonomous review checklists with pass/fail gates, convention detection, and structured finding production. Use when running autonomous code reviews to ensure systematic coverage and consistent quality.
Automated Code Review
"Inspection at the source is called prevention. Inspection after the fact is called sorting." -- W. Edwards Deming
Core Philosophy
Code review coaching teaches humans how to review; automated code review teaches agents how to execute reviews systematically — the difference between a textbook and a manufacturing process. This skill converts the CACR (Challenge-Attempt-Compare-Reflect) coaching framework into an execution framework: systematic checklists with explicit pass/fail gates that prevent superficial reviews, and convention detection that calibrates findings to the project's own standards rather than abstract ideals. A coaching skill teaches a human to ask "did I check error handling?"; this skill tells the agent exactly HOW — enumerate every fallible call, verify each has an error path, verify the path handles rather than swallows, verify the message carries diagnostic context.
It does NOT teach review principles — it assumes those from code-review-coach and
security-review-trainer. It provides the operational framework: checklists, gates, convention
detection, and structured output that turn review knowledge into consistent execution.
Non-Negotiable Constraints:
- SYSTEMATIC COVERAGE — every category is checked against a concrete checklist; the checklist is the floor, never skipped.
- CONVENTION CALIBRATION — detect the project's conventions before reporting any style finding; external-standard findings on a differing project are false positives.
- PASS/FAIL GATING — each phase has explicit exit gates; a phase cannot advance until its gate passes.
- EVIDENCE PER FINDING — every finding carries line numbers + snippet; severity reflects impact in the project's actual context.
- FALSE-POSITIVE PREVENTION — verify against framework, middleware, and surrounding code before reporting; ambiguous findings are flagged "needs verification."
Full principle table, knowledge-base grounding, detailed phase gates, the finding pipeline, and the
minimum checklists live in references/conventions.md.
Workflow
SCAN Define scope; enumerate files with languages; detect project conventions (procedures in
references/convention-detection.md). GATE: scope defined, conventions detected, ≥3 files sampled.
ANALYZE Read each file completely. Run all five category checklists per file (floor in
conventions.md; detail in review-checklist-engine.md). Record findings via the finding
pipeline. GATE: every file analyzed, every category checked, every finding has evidence +
severity + false-positive check.
SYNTHESIZE De-duplicate, cross-reference, rank by severity, group into themes. GATE: consolidated
list false-positive reviewed.
REPORT Produce structured output (templates in references/output-templates.md). GATE: every
finding has evidence/category/severity/fix; ordered critical-first; positives + stats included.
Exit criteria: all five categories evaluated for every in-scope file against detected conventions; every finding evidenced and severity-justified; false positives filtered; structured report produced with positive observations and statistics.
State Block
<automated-review-state>
phase: SCAN | ANALYZE | SYNTHESIZE | REPORT | COMPLETE
scope: [diff | files | directory | PR]
conventions_detected: true | false
files_total: [N]
files_analyzed: [N]
findings: [count by severity — C/H/M/L/Nit]
false_positives_filtered: [N]
last_action: [description]
next_action: [description]
</automated-review-state>
Output Template
- Per-file analysis log, consolidated report, review statistics —
references/output-templates.md. - Detailed per-category checklists, pass/fail criteria, language extensions —
references/review-checklist-engine.md. - Convention detection procedures (naming, error handling, logging, testing) —
references/convention-detection.md. - Principle table, KB lookups, full phase gates, finding pipeline, minimum checklists —
references/conventions.md.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| code-review-coach | Provides the review rubric, scoring methodology, and category definitions this skill operationalizes. Coach teaches what to look for; this skill ensures nothing is skipped. |
| security-review-trainer | Provides deep security patterns and OWASP mapping. The security checklist here is a minimum; the trainer expands it with level-appropriate subtlety. |
| pr-feedback-writer | Shapes how findings are communicated. After this skill produces findings, pr-feedback-writer frames them as constructive, actionable PR comments. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026