<< All versions
Skill v1.0.1
currentAutomated scan100/100kivo360/omoios/code-review
4 files
──Details
PublishedJune 26, 2026 at 07:31 PM
Content Hashsha256:aa533df5509295b8...
Git SHA65d8f5eff4fd
Bump Typepatch
──Files
Files (1 file, 4.2 KB)
SKILL.md4.2 KBactive
SKILL.md · 156 lines · 4.2 KB
version: "1.0.1" description: Review code for security, quality, and maintainability with structured feedback globs: ["/*.py", "/*.ts", "/*.tsx", "/*.js", "**/*.jsx"]
Code Review
Perform thorough code reviews using this structured approach.
Review Checklist
1. Security (CRITICAL)
- [ ] Injection vulnerabilities: SQL, command, XSS, template injection
- [ ] Authentication: Proper auth checks, secure session handling
- [ ] Authorization: Access control on all sensitive operations
- [ ] Secrets: No hardcoded credentials, API keys, tokens
- [ ] Input validation: All user input validated and sanitized
- [ ] Output encoding: Proper encoding for context (HTML, URL, JS)
2. Logic & Correctness
- [ ] Requirements met: Code implements what was specified
- [ ] Edge cases: Null/empty/boundary conditions handled
- [ ] Error handling: Exceptions caught and handled appropriately
- [ ] Race conditions: Concurrent access handled correctly
- [ ] State management: State transitions are valid
3. Performance
- [ ] N+1 queries: Database queries in loops
- [ ] Memory leaks: Unclosed resources, retained references
- [ ] Unnecessary computation: Repeated calculations, missing caching
- [ ] Blocking operations: Async operations not blocking main thread
- [ ] Large payloads: Response sizes reasonable
4. Maintainability
- [ ] Single responsibility: Each function/class has one purpose
- [ ] DRY: No duplicated code
- [ ] Naming: Clear, descriptive names for variables/functions
- [ ] Comments: Complex logic explained, not obvious code
- [ ] Type hints: Types annotated (Python/TypeScript)
5. Testing
- [ ] Test coverage: New code has tests
- [ ] Test quality: Tests verify behavior, not implementation
- [ ] Edge case tests: Boundary conditions tested
- [ ] Integration tests: System interactions tested
Review Output Format
markdown
## Code Review: {file/component}### Summary{1-2 sentence overall assessment}### 🔴 Critical Issues{Must fix before merge}#### Issue 1: {Title}-**Location**: `file.py:42`-**Problem**: {Description}-**Impact**: {Security/correctness impact}-**Fix**: {Suggested solution}### 🟡 Suggestions{Should consider fixing}#### Suggestion 1: {Title}-**Location**: `file.py:88`-**Current**: {What it does now}-**Suggested**: {Better approach}-**Reason**: {Why this is better}### 🟢 Positive Notes{Good patterns to highlight}-Good use of {pattern} at `file.py:100`-Clear error handling in {function}### Verdict-[ ] ✅ Approve-[ ] 🔄 Request Changes-[ ] 💬 Needs Discussion
Security Patterns to Flag
Python
python
# 🔴 SQL Injectioncursor.execute(f"SELECT * FROM users WHERE id = {user_id}") # BADcursor.execute("SELECT * FROM users WHERE id = ?", (user_id,)) # GOOD# 🔴 Command Injectionos.system(f"ls {user_input}") # BADsubprocess.run(["ls", user_input], check=True) # GOOD# 🔴 Path Traversalopen(f"/data/{user_filename}") # BADsafe_path = Path("/data") / user_filenameif safe_path.resolve().is_relative_to(Path("/data")): # GOODopen(safe_path)
TypeScript/JavaScript
typescript
// 🔴 XSSelement.innerHTML = userInput; // BADelement.textContent = userInput; // GOOD// 🔴 Prototype PollutionObject.assign(target, JSON.parse(userInput)); // BAD// Validate shape before merging// 🔴 SSRFfetch(userProvidedUrl); // BAD// Validate URL against allowlist
Performance Patterns to Flag
python
# 🔴 N+1 Queryfor user in users:orders = db.query(Order).filter(Order.user_id == user.id).all() # BAD# ✅ Eager Loadingusers = db.query(User).options(joinedload(User.orders)).all() # GOOD# 🔴 Repeated Computationfor item in items:expensive = calculate_expensive_thing() # BAD (repeated)process(item, expensive)# ✅ Cache Resultexpensive = calculate_expensive_thing() # GOOD (once)for item in items:process(item, expensive)
Review Commands
bash
# View changes in a PRgit diff main...HEAD# Check specific filegit diff main -- path/to/file.py# View commit historygit log --oneline main..HEAD# Check for secrets (use git-secrets or similar)git secrets --scan