nsheaps/review
plugins/sdlc-utils/skills/review/SKILL.md
Code review practices and quality checks. Use when the user asks to "review code", "review a PR", "code review", "check code quality", "review changes", "score this code", or when evaluating code for merge readiness. Covers review checklists, scoring criteria, feedback conventions, and iterative improvement until quality thresholds are met.
$ install --global
skillsauthnpx skillsauth add nsheaps/ai-mktpl reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 4:17 PM57.7s1 file scanned
SKILL.md
- name:
- review
- description:
- >
Code Review
Structured code review for evaluating and improving code quality before merge.
Review Categories
Evaluate code across these dimensions, scoring each 0-100:
| Category | What to check | | ----------------- | ------------------------------------------------- | | Simplicity | Is the code as simple as it can be? | | Correctness | Does it do what the spec says? | | Security | Are there vulnerabilities or unsafe patterns? | | Performance | Are there obvious performance issues? | | Maintainability | Can someone else understand and modify this? | | Pattern adherence | Does it follow existing codebase conventions? | | Test coverage | Are changes covered by tests? | | Documentation | Are public APIs and non-obvious logic documented? |
Score Thresholds
| Score | Status | Meaning | | ------ | ------ | --------------------------- | | >= 85% | Pass | Ready to merge | | 70-84% | Warn | Should address before merge | | < 70% | Block | Must address before merge |
Review Workflow
Step 1: Understand Context
- Read the PR description and linked spec/issue
- Understand what the code is supposed to do
- Check the full diff against the base branch (not just latest commit)
Step 2: Review
For each category:
- Examine the relevant code
- Note specific findings with file and line references
- Assign a score
- Provide actionable feedback for anything below 85%
Step 3: Provide Feedback
- Be specific: reference exact lines and files
- Be actionable: say what to change, not just what is wrong
- Assign priority levels to all findings: P0 (critical), P1 (important), P2 (nice-to-have)
- All findings must be listed — none should be silently dismissed
Step 4: Iterate
If scores are below threshold, the author addresses feedback and requests re-review. Repeat until all categories pass.
Verdicts
| Verdict | When | | --------------- | ------------------------------------------------- | | Approve | All categories >= 85%, no P0 or P1 issues | | Comment | Only P2 follow-ups remain | | Request Changes | Any category < 70% or security/correctness issues |
Anti-Patterns
| Anti-Pattern | Instead | | ----------------------- | ------------------------------------------ | | Rubber-stamping | Actually read and evaluate the code | | Nitpicking style only | Focus on substance (correctness, security) | | Vague feedback | Give specific, actionable comments | | Reviewing only the diff | Understand the full context |
External References
- Google Engineering Practices: Code Review
- Conventional Comments
Related Skills
nsheaps/claude-code
tools
VerifiedTrustedCommunity
Reference material for Claude Code internals — the on-disk layout under ~/.claude and project-scope .claude, the plugin cache, session-env propagation, and the full hook lifecycle. Auto-recall when working on Claude-Code-related tasks: writing or debugging hooks, authoring plugins, inspecting session state, troubleshooting why an env var is or isn't visible to a Bash tool call, or when paths under ~/.claude or ~/.claude/plugins/ come up.
3SKILL.mdUpdated May 6, 2026
nsheaps/github-app-token
development
VerifiedTrustedCommunity
Manage GitHub App installation tokens in Claude Code sessions. Use when tokens expire, auth errors occur in long-running sessions, or when setting up GitHub App credentials for agent teams. <example>my github token expired</example> <example>refresh the github app token</example> <example>check token status</example> <example>set up github app authentication for this session</example>
3SKILL.mdUpdated Apr 22, 2026
nsheaps/auto-config
tools
VerifiedTrustedCommunity
Auto-detect project formatting tools and configure edit-utils settings
3SKILL.mdUpdated Apr 22, 2026
nsheaps/op
tools
VerifiedTrustedCommunity
Use this skill when the user asks about 1Password, secrets management, retrieving credentials, using op CLI, service accounts, secret references, vault operations, or any task involving the 1Password CLI (op). Also use when needing to inject secrets into environment variables, read passwords or API keys from 1Password, or manage 1Password items from the command line.
3SKILL.mdUpdated Apr 22, 2026