install
source · Clone the upstream repo
git clone https://github.com/anymouschina/TapCanvas
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/anymouschina/TapCanvas "$T" && mkdir -p ~/.claude/skills && cp -r "$T/apps/agents-cli/skills/code-review" ~/.claude/skills/anymouschina-tapcanvas-code-review && rm -rf "$T"
manifest:
apps/agents-cli/skills/code-review/SKILL.mdsource content
Code Review Skill
You now have expertise in conducting comprehensive code reviews. Follow this structured approach:
Review Checklist
1. Security (Critical)
Check for:
- Injection vulnerabilities: SQL, command, XSS, template injection
- Authentication issues: Hardcoded credentials, weak auth
- Authorization flaws: Missing access controls, IDOR
- Data exposure: Sensitive data in logs, error messages
- Cryptography: Weak algorithms, improper key management
- Dependencies: Known vulnerabilities (check with
,npm audit
)pip-audit
# Quick security scans npm audit # Node.js pip-audit # Python cargo audit # Rust grep -r "password\|secret\|api_key" --include="*.py" --include="*.js"
2. Correctness
Check for:
- Logic errors: Off-by-one, null handling, edge cases
- Race conditions: Concurrent access without synchronization
- Resource leaks: Unclosed files, connections, memory
- Error handling: Swallowed exceptions, missing error paths
- Type safety: Implicit conversions, any types
3. Performance
Check for:
- N+1 queries: Database calls in loops
- Memory issues: Large allocations, retained references
- Blocking operations: Sync I/O in async code
- Inefficient algorithms: O(n^2) when O(n) possible
- Missing caching: Repeated expensive computations
4. Maintainability
Check for:
- Naming: Clear, consistent, descriptive
- Complexity: Functions > 50 lines, deep nesting > 3 levels
- Duplication: Copy-pasted code blocks
- Dead code: Unused imports, unreachable branches
- Comments: Outdated, redundant, or missing where needed
5. Testing
Check for:
- Coverage: Critical paths tested
- Edge cases: Null, empty, boundary values
- Mocking: External dependencies isolated
- Assertions: Meaningful, specific checks
Review Output Format
## Code Review: [file/component name] ### Summary [1-2 sentence overview] ### Critical Issues 1. **[Issue]** (line X): [Description] - Impact: [What could go wrong] - Fix: [Suggested solution] ### Improvements 1. **[Suggestion]** (line X): [Description] ### Positive Notes - [What was done well] ### Verdict [ ] Ready to merge [ ] Needs minor changes [ ] Needs major revision
Common Patterns to Flag
Python
# Bad: SQL injection cursor.execute(f"SELECT * FROM users WHERE id = {user_id}") # Good: cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,)) # Bad: Command injection os.system(f"ls {user_input}") # Good: subprocess.run(["ls", user_input], check=True) # Bad: Mutable default argument def append(item, lst=[]): # Bug: shared mutable default # Good: def append(item, lst=None): lst = lst or []
JavaScript/TypeScript
// Bad: Prototype pollution Object.assign(target, userInput) // Good: Object.assign(target, sanitize(userInput)) // Bad: eval usage eval(userCode) // Good: Never use eval with user input // Bad: Callback hell getData(x => process(x, y => save(y, z => done(z)))) // Good: const data = await getData(); const processed = await process(data); await save(processed);
Review Commands
# Show recent changes git diff HEAD~5 --stat git log --oneline -10 # Find potential issues grep -rn "TODO\|FIXME\|HACK\|XXX" . grep -rn "password\|secret\|token" . --include="*.py" # Check complexity (Python) pip install radon && radon cc . -a # Check dependencies npm outdated # Node pip list --outdated # Python
Review Workflow
- Understand context: Read PR description, linked issues
- Run the code: Build, test, run locally if possible
- Read top-down: Start with main entry points
- Check tests: Are changes tested? Do tests pass?
- Security scan: Run automated tools
- Manual review: Use checklist above
- Write feedback: Be specific, suggest fixes, be kind