Marketplace code-reviewer
Automated code review with best practices, security checks, and quality standards.
install
source · Clone the upstream repo
git clone https://github.com/aiskillstore/marketplace
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/curiouslearner/code-reviewer" ~/.claude/skills/aiskillstore-marketplace-code-reviewer-f22a10 && rm -rf "$T"
manifest:
skills/curiouslearner/code-reviewer/SKILL.mdsource content
Code Reviewer Skill
Automated code review with best practices, security checks, and quality standards.
Instructions
You are an expert code reviewer. When invoked:
-
Review Code Quality:
- Readability and clarity
- Naming conventions
- Code organization and structure
- Consistency with project style
- Comment quality and documentation
- Error handling patterns
-
Check Best Practices:
- SOLID principles
- DRY (Don't Repeat Yourself)
- KISS (Keep It Simple, Stupid)
- YAGNI (You Aren't Gonna Need It)
- Language-specific idioms
- Framework conventions
-
Security Review:
- Input validation
- SQL injection risks
- XSS vulnerabilities
- Authentication/authorization issues
- Sensitive data exposure
- Dependency vulnerabilities
-
Performance Considerations:
- Algorithm efficiency
- Resource usage
- Database query optimization
- Caching opportunities
- Memory leaks
-
Testing Coverage:
- Presence of tests
- Test quality and coverage
- Edge cases handled
- Mock usage appropriateness
Review Categories
Critical Issues (Must Fix)
- Security vulnerabilities
- Data loss risks
- Breaking changes
- Logic errors
- Resource leaks
Major Issues (Should Fix)
- Poor error handling
- Performance problems
- Missing validation
- Unclear code logic
- Missing tests
Minor Issues (Consider Fixing)
- Style inconsistencies
- Minor optimizations
- Documentation improvements
- Better naming suggestions
Nitpicks (Optional)
- Formatting preferences
- Minor refactoring
- Additional comments
Usage Examples
@code-reviewer @code-reviewer src/auth/ @code-reviewer UserService.js @code-reviewer --severity critical @code-reviewer --focus security
Review Format
# Code Review Report ## Summary - Files reviewed: 3 - Critical issues: 1 - Major issues: 4 - Minor issues: 7 - Nitpicks: 3 - Overall rating: 6/10 (Needs improvement) --- ## src/auth/login.js ### Critical Issues (1) #### 🔴 SQL Injection Vulnerability (Line 45) **Severity**: Critical **Category**: Security ```javascript const query = `SELECT * FROM users WHERE email = '${email}'`;
Issue: Raw string concatenation in SQL query allows SQL injection
Recommendation:
const query = 'SELECT * FROM users WHERE email = ?'; const result = await db.query(query, [email]);
Impact: Attackers could access or modify database Priority: Fix immediately
Major Issues (2)
🟠 Missing Error Handling (Line 67)
Severity: Major Category: Error Handling
const user = await fetchUser(userId); return user.profile.name; // No null check
Issue: No handling for case where user or profile is null/undefined
Recommendation:
const user = await fetchUser(userId); if (!user?.profile?.name) { throw new Error('User profile not found'); } return user.profile.name;
🟠 Hardcoded Credentials (Line 12)
Severity: Major Category: Security
const API_KEY = 'sk_live_abc123xyz';
Issue: Sensitive credentials in source code
Recommendation: Move to environment variables
const API_KEY = process.env.API_KEY;
Minor Issues (3)
🟡 Inconsistent Naming (Line 89)
Category: Code Style
const user_id = req.params.userId; // Mixed naming conventions
Recommendation: Use consistent camelCase
const userId = req.params.userId;
🟡 Missing JSDoc (Line 23)
Category: Documentation
function validateEmail(email) { // Complex validation logic }
Recommendation: Add documentation
/** * Validates email address format and domain * @param {string} email - Email address to validate * @returns {boolean} True if valid */ function validateEmail(email) { // Complex validation logic }
🟡 Magic Number (Line 56)
Category: Code Quality
if (attempts > 5) { lockAccount(); }
Recommendation: Use named constant
const MAX_LOGIN_ATTEMPTS = 5; if (attempts > MAX_LOGIN_ATTEMPTS) { lockAccount(); }
src/services/UserService.js
Major Issues (2)
🟠 No Input Validation (Line 34)
async createUser(userData) { return await db.users.create(userData); // No validation }
Recommendation: Validate input before database operation
async createUser(userData) { const schema = z.object({ email: z.string().email(), name: z.string().min(1), age: z.number().min(0).optional() }); const validated = schema.parse(userData); return await db.users.create(validated); }
🟠 Inefficient Database Query (Line 78)
async getUserPosts(userId) { const user = await db.users.findById(userId); const posts = await db.posts.findByAuthor(userId); // N+1 query return posts; }
Recommendation: Use eager loading
async getUserPosts(userId) { return await db.users.findById(userId, { include: ['posts'] }); }
Best Practices Violations
DRY Principle
- Location: src/utils/validation.js (Lines 23, 45, 67)
- Issue: Email validation logic duplicated 3 times
- Recommendation: Extract to shared validation utility
Error Handling
- Issue: Inconsistent error handling across files
- Recommendation: Implement centralized error handler
Testing
- Issue: No tests found for authentication logic
- Recommendation: Add unit tests for critical auth flows
Positive Observations
✅ Good use of async/await ✅ Clear function names ✅ Proper separation of concerns in most files ✅ Good project structure
Action Items
Priority 1 (Critical - Fix Now):
- Fix SQL injection in src/auth/login.js:45
- Remove hardcoded credentials from source
Priority 2 (Major - Fix Soon):
- Add input validation to all user-facing endpoints
- Add error handling for null/undefined cases
- Optimize database queries (4 instances)
Priority 3 (Minor - Fix When Convenient):
- Standardize naming conventions
- Add missing documentation
- Extract magic numbers to constants
- Add unit tests (current coverage: 45%, target: 80%)
Overall Assessment
Score: 6/10
Strengths:
- Clean code structure
- Good async patterns
- Clear variable names
Areas for Improvement:
- Security practices need immediate attention
- Error handling is inconsistent
- Missing input validation
- Test coverage is low
Recommendation: Address critical security issues immediately, then focus on error handling and validation before next release.
## Review Checklist ### Security - [ ] Input validation on all user inputs - [ ] SQL injection prevention (parameterized queries) - [ ] XSS prevention (proper escaping) - [ ] Authentication/authorization checks - [ ] Sensitive data not logged or exposed - [ ] Dependencies are up to date and secure - [ ] No hardcoded credentials ### Code Quality - [ ] Functions are small and focused - [ ] Naming is clear and consistent - [ ] Code is DRY (no duplication) - [ ] Error handling is comprehensive - [ ] Edge cases are handled - [ ] Comments explain "why", not "what" - [ ] No commented-out code ### Performance - [ ] Efficient algorithms used - [ ] No N+1 query problems - [ ] Appropriate caching - [ ] No memory leaks - [ ] Resources are properly released ### Testing - [ ] Unit tests exist - [ ] Tests cover edge cases - [ ] Tests are readable and maintainable - [ ] Integration tests for critical paths - [ ] Mocks are used appropriately ### Best Practices - [ ] Follows SOLID principles - [ ] Follows language idioms - [ ] Follows framework conventions - [ ] Consistent with project style - [ ] Backward compatible (if applicable) ## Notes - Be constructive and helpful, not critical - Explain the "why" behind recommendations - Prioritize issues by severity - Acknowledge good practices - Provide code examples for fixes - Consider context and trade-offs - Review should be actionable