sofer/code-review
skills/code-review/SKILL.md
Review code changes for bugs, security issues, regressions, test gaps, and fit with the stated goal. Use for PRs, branches, commit ranges, staged changes, or files, especially before committing or shipping platform work.
$ install --global
skillsauthnpx skillsauth add sofer/.agents code-reviewInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 1, 2026, 6:40 AM185.4s1 file scanned
SKILL.md
- name:
- code-review
- description:
- Review code changes for bugs, security issues, regressions, test gaps, and fit with the stated goal. Use for PRs, branches, commit ranges, staged changes, or files, especially before committing or shipping platform work.
Code review
Purpose
Provide a fresh, critical review of code changes. Prioritise correctness, security, behavioural regressions, ownership boundaries, and missing tests.
Inputs
Accept any of:
- PR URL or number.
- Branch name.
- Commit range.
- Staged or unstaged local diff.
- File list.
- Spec, plan, or acceptance criteria.
If the goal of the change is unclear, infer from PR text, commit messages, docs, tests, or surrounding code. Ask only if ambiguity affects the review.
Safety
- Reading PRs, diffs, files, and local test results is allowed.
- Do not post GitHub comments, approve, request changes, push, merge, or create PRs without explicit confirmation.
- Do not modify code during a review unless the user explicitly asks for fixes.
- Preserve user work. Do not revert or overwrite unrelated changes.
Review process
- Identify the scope:
- files changed
- intended behaviour
- tests changed or missing
- shared files or boundaries touched
- Inspect repo instructions, especially
AGENTS.md, when reviewing non-trivial work. - Review the diff and relevant surrounding code.
- Check the change against:
- stated goal or acceptance criteria
- existing patterns and interfaces
- security and privacy
- error handling
- data and migration safety
- auth, email, payments, permissions, or production-impacting behaviour
- test coverage and verification quality
- Run or inspect relevant checks when feasible. If checks are not run, state the gap.
- Produce findings ordered by severity.
Platform mode
For ~/code/fac-cra/, always check:
- whether the change stayed inside Distribution or Partners boundaries
- whether shared files were touched and why
- whether the change could disrupt the CTO's fast-moving work
- whether the test harness gives real confidence
- whether end-to-end verification is required for email, auth links, registration, or multi-step flows
Treat unexplained shared-boundary changes as at least important.
Severity
Blocking: must fix before merge, release, or commit. Examples: data loss, security flaw, broken core behaviour, unsafe migration, auth bypass.Important: should fix before shipping unless there is a deliberate tradeoff. Examples: likely bug, weak test harness, brittle integration, unclear shared-boundary impact.Minor: worth considering, but does not block. Examples: small maintainability issue, local naming inconsistency.
Avoid style-only comments unless they create real maintainability or correctness risk.
Output
Lead with findings. If there are no findings, say so clearly.
## Findings
1. [Severity] [Title] - [file:line]
[Why this matters.]
Suggested fix: [Concrete action.]
## Open questions
- [Question that affects correctness, scope, or risk.]
## Verification
- [Checks run or reviewed.]
- [Checks not run and why.]
## Boundary notes
- [For platform work: Distribution/Partners status and shared files touched.]
## Summary
[One or two sentences only.]
GitHub review posting
If the user asks to post review comments:
- Show the exact review body and inline comments first.
- Ask for confirmation.
- Post only after confirmation.
- Keep comments concise and actionable.
- Never include AI-tool attribution.
Related Skills
sofer/agent-config-audit
tools
VerifiedTrustedCommunity
Check whether Claude and Codex have equivalent access to shared agent resources, skills, hooks, plugins, MCP servers, permissions, startup behaviour, and provider-specific adapter config. Use when comparing agent environments, debugging missing capabilities after restart, or deciding whether to symlink a resource or configure a runtime.
4SKILL.mdUpdated May 10, 2026
sofer/skill-usage
testing
VerifiedTrustedCommunity
Record substantive skill use in an append-only local log. Use after choosing or invoking a non-system skill for real work, when a skill is inspected but not used, or when a skill fails to apply. Do not use for routine system skills or incidental file reads.
4SKILL.mdUpdated May 1, 2026
sofer/problem-statement
testing
VerifiedTrustedCommunity
Turn a vague or underspecified request into a self-contained problem statement. Use when the user has a rough idea, when a request would fail if handed directly to an agent, or before non-trivial work that needs shared understanding.
4SKILL.mdUpdated May 1, 2026
sofer/learning
data-ai
VerifiedTrustedCommunity
Append a one-line learning to ~/.agents/learning-log.md. Use when the user types /learning, or when something genuinely worth remembering surfaced during work and the user confirms it should be captured.
4SKILL.mdUpdated May 1, 2026