tranhieutt/code-review-checklist
.claude/skills/code-review-checklist/SKILL.md
Provides a comprehensive code review checklist for pull requests covering security, performance, maintainability, and testing. Use as a reference during code reviews or when the user asks for a review checklist.
$ install --global
skillsauthnpx skillsauth add tranhieutt/software_development_department code-review-checklistInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 11:48 PM18.6s1 file scanned
SKILL.md
- name:
- code-review-checklist
- description:
- Provides a comprehensive code review checklist for pull requests covering security, performance, maintainability, and testing. Use as a reference during code reviews or when the user asks for a review checklist.
- allowed-tools:
- Read, Glob, Grep, Bash
- argument-hint:
- [file path or PR number]
- user-invocable:
- true
- effort:
- 3
- when_to_use:
- Quick self-check before committing, when a full review is not needed
Code Review Checklist
Pre-review (always start here)
- [ ] Read PR description and linked issue — understand the why
- [ ] Check CI passes before spending time on review
- [ ] Pull branch locally if logic is complex
Functionality
- [ ] Solves stated problem and meets acceptance criteria
- [ ] Edge cases: null/empty inputs, concurrent calls, network failure
- [ ] Error handling: errors caught, message doesn't expose internals
- [ ] No off-by-one, loop termination, or race conditions
Security (block if any fail)
- [ ] No SQL injection — use parameterized queries, not string concat
- [ ] No XSS — escape all user-controlled output in DOM
- [ ] No hardcoded secrets — use environment variables
- [ ] Authentication required on all protected routes
- [ ] Authorization checks presence AND ownership (not just auth)
- [ ] File uploads validated: type, size, content
// ❌ SQL injection
const q = `SELECT * FROM users WHERE email = '${email}'`;
// ✅ Parameterized
db.query("SELECT * FROM users WHERE email = $1", [email]);
// ❌ Hardcoded secret
const KEY = "sk_live_abc123";
// ✅ Env variable
const KEY = process.env.API_KEY;
if (!KEY) throw new Error("API_KEY is required");
Performance
- [ ] No N+1 queries — check ORM calls inside loops
- [ ] Database queries use indexes for filter/sort columns
- [ ] No unbounded queries — always paginate or limit
- [ ] No blocking main thread with sync I/O (Node.js)
- [ ] Caching used for repeated expensive operations
Code quality
- [ ] Names describe intent (
calculateTotalPricenotcalc) - [ ] Functions have single responsibility (< ~30 lines is a signal)
- [ ] No dead code or commented-out blocks
- [ ] DRY — no copy-paste of more than 3 lines
- [ ] Follows existing project conventions and patterns
Tests
- [ ] New behavior has test coverage
- [ ] Happy path + at least 1 failure/edge case tested
- [ ] Tests use real assertions, not just "doesn't throw"
- [ ] No brittle tests that break on unrelated changes
Documentation
- [ ] Complex logic has
// whycomment (not// what) - [ ] Public API changes documented
- [ ] Breaking changes documented in CHANGELOG or PR body
Review comment format
**Issue:** [What's wrong]
**Current:** `problematic code`
**Suggested:** `improved code`
**Why:** [reason]
Verdict
- APPROVED — all sections pass
- APPROVED WITH CONDITIONS — minor items, non-blocking
- CHANGES REQUIRED — blocking security, correctness, or test coverage issues
Output: checklist score (X/Y passing) + blocking items with file:line refs + verdict
Related Skills
tranhieutt/visual-engineer
testing
VerifiedTrustedCommunity
Generates high-fidelity architecture diagrams, sequence flows, and component maps for SDD projects. Use when finalizing a design phase, documenting system architecture, or visualizing agentic workflows. Default style: Style 6 (Claude Official).
60SKILL.mdUpdated Apr 15, 2026
tranhieutt/vector-database-engineer
data-ai
VerifiedTrustedCommunity
Provides vector database and semantic search patterns for Pinecone, Weaviate, Qdrant, Milvus, and pgvector in RAG and recommendation systems. Use when implementing vector search or when the user mentions vector database, semantic search, embeddings, or similarity search.
60SKILL.mdUpdated Apr 15, 2026
tranhieutt/update-codemap
development
VerifiedTrustedCommunity
Updates docs/technical/CODEMAP.md by scanning the current codebase structure. Run after a significant feature merge, refactor, or when CODEMAP feels stale.
60SKILL.mdUpdated Apr 15, 2026
tranhieutt/unfreeze
development
VerifiedTrustedCommunity
Unlocks the codebase after a release freeze or incident freeze period to resume normal development. Use when a freeze period ends or when the user mentions unfreezing or lifting the code freeze.
60SKILL.mdUpdated Apr 15, 2026