agentskills.codes
CO

Systematic code review for correctness, security, and growth — not just style enforcement

Install

mkdir -p .claude/skills/code-review-fabioc-aloha && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/15083" && unzip -o skill.zip -d .claude/skills/code-review-fabioc-aloha && rm skill.zip

Installs to .claude/skills/code-review-fabioc-aloha

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Systematic code review for correctness, security, and growth — not just style enforcement
89 charsno explicit “when” trigger

About this skill

<!-- intentional divergence from Supervisor: Edition omits the two Supervisor-specific checklist items ("every export called by production", "filter-style guards have test data") that reference Supervisor-only mutation-testing skill. Heirs don't ship mutation-testing. Audited 2026-05-31. -->

Code Review Skill

Good reviews catch bugs. Great reviews teach the author something.

Review Priority (What Matters Most)

  1. Correctness — Does it do what it's supposed to?
  2. Security — Can it be exploited?
  3. Maintainability — Will the next person understand this?
  4. Performance — Will it scale?
  5. Style — Is it consistent? (ideally enforced by linters, not humans)

3-Pass Review

PassFocusWhat You're Looking ForTime
1. OrientationBig pictureDoes the approach make sense? Is the scope right? Over-engineered?2-3 min
2. LogicDeep readEdge cases, null handling, error paths, concurrency, off-by-one10-15 min
3. PolishSurfaceNaming, duplication, test coverage, docs3-5 min

Pass 1 shortcut: Read the PR description and test names first. They reveal intent faster than code.

Comment Prefixes

PrefixMeaningAuthor Response
[blocking]Must fix before mergeFix it
[suggestion]Better approach existsConsider it, explain if declining
[question]I don't understandClarify (in code, not just in reply)
[nit]Trivial style issueFix if easy, skip if not
[praise]This is well doneAppreciate it

Good vs Bad Comment Examples

BadWhyGood
"This is confusing"Vague, unhelpful"[suggestion] This nested ternary is hard to follow. Consider extracting to a named function like isEligibleForDiscount()."
"Fix this"No context"[blocking] This accepts user input without sanitization. Use escapeHtml() before rendering."
"Why?"Sounds hostile"[question] What's the motivation for the custom sort here vs Array.sort()? Is there a performance concern?"
"LGTM" (on 500-line PR)Rubber stamp"Pass 1: Approach looks right. Pass 2 comments below. Pass 3: naming is clean."

Review Checklist

Security

  • No secrets, tokens, or API keys in code
  • User input validated/sanitized before use
  • Auth checks on protected endpoints
  • No SQL/command injection vectors
  • Sensitive data not logged

Logic

  • Edge cases handled (empty input, null, boundary values)
  • Error paths return meaningful messages
  • Async operations have timeout/cancellation
  • State changes are atomic (no partial updates)
  • All new branches have test coverage

Quality

  • Tests cover the changed behavior, not just the changed lines
  • No debug code (console.log, TODO-hacks)
  • Public API changes documented
  • Backward compatibility considered

Architecture

  • Change is in the right layer (not business logic in the controller)
  • New dependencies justified
  • No unnecessary coupling introduced

Anti-Patterns

Anti-PatternWhat HappensInstead
Rubber-stampBugs shipActually read Pass 1-3
BikesheddingHours on naming, ignore logic bugsSpend 80% on Pass 2
GatekeepingReviewees dread PRsTeach, don't block
Week-long queuePRs go stale, conflicts pile upReview within 4 hours, merge within 24
Style warsTeam frictionAutomate style (ESLint, Prettier, etc.)
Everything-is-blockingAuthor overwhelmedUse prefix system honestly

Mission-Critical Review (NASA Standards)

For safety-critical projects, apply NASA/JPL Power of 10 rules during review:

Blocking Violations (Must Fix)

RuleCheck ForDetection
R1Recursive function without maxDepth parametergrep -rn "function.*\(" | xargs grep -l "walk|traverse|recurse"
R2while loop without iteration counterManual review of all while statements
R3Unbounded array growthpush() in loops without size checks

High Priority (Strong Recommendation)

RuleCheck ForDetection
R4Function > 60 linesLine count per function
R5Missing entry assertionsPublic functions without precondition checks
R8Nesting > 4 levelsVisual inspection of indentation

Medium Priority (Consider)

RuleCheck ForDetection
R6Variable declared far from useManual review
R7Unchecked return valuesgrep for ignored returns
R9Deep property access without ?.obj.prop.prop.prop chains
R10Compiler warningsBuild output

Trigger: User mentions "mission-critical", "NASA standards", "high reliability", or "safety-critical"

Review Timing

PR SizeExpected Review TimeIf Larger
< 100 lines< 30 min
100-400 lines30-60 minIdeal size
400+ lines60+ minAsk author to split
1000+ linesDon'tRefuse; request breakdown

Extension Audit Methodology (VS Code Extensions)

When: Before release, after major refactoring, or on quality concerns

Scope: Multi-dimensional code quality analysis beyond standard code review

5-Dimension Audit Framework

DimensionFocusTools/MethodsOutput
Debug & LoggingConsole statements, debug codegrep -r "console\\.log|console\\.debug"Categorize: legitimate vs removable
Dead CodeUnused imports, orphaned files, broken refsTypeScript compilation + manual scanList dead commands, UI, dependencies
PerformanceBlocking I/O, sync operations, bottlenecksgrep -r "Sync\(" src/, profilingAsync refactoring candidates
Menu ValidationAll commands/buttons workManual testing + error logsBroken commands, missing handlers
DependenciesUnused packages, leftover referencespackage.json vs import analysisRemovable dependencies

Audit Report Template

## Executive Summary
- Console statements: X remaining (Y legitimate, Z removable)
- Dead code: [commands/UI/dependencies list]
- Performance: [blocking operations count]
- Menu validation: [working/broken ratio]

## Recommendations
1. [Category]: [Issue] → [Action] (Priority: Critical/High/Medium)
2. [Category]: [Issue] → [Action] (Priority: Critical/High/Medium)

Console Statement Categorization

CategoryKeep?Examples
Enterprise complianceAudit logs, security events, GDPR actions
User feedbackTTS status, long-running ops, critical errors
Debug noiseSetup verbosity, migration logs, info messages
Development artifacts"Entering function X", temporary debugging

Performance Red Flags

  • Synchronous file I/O in UI thread: fs.readFileSync, fs.existsSync, fs.readdirSync
    • Fix: Convert to fs-extra async: await fs.readFile, await fs.pathExists, await fs.readdir
  • Blocking operations in activation: Heavy computation before extension ready
    • Fix: Defer to background, show loading state, or lazy-load
  • Serial operations that could be parallel: Sequential awaits for independent tasks
    • Fix: Promise.all([op1(), op2(), op3()])

Dead Code Detection Pattern

  1. Scan command registrations: vscode.commands.registerCommand('command.id', ...)
  2. Scan UI references: Search HTML/views for command IDs
  3. Cross-check: Commands in UI but not registered = broken; registered but unused = dead
  4. Verify disposables: Removed commands should have disposable cleanup too

Post-Audit Verification

  • TypeScript compiles: npm run compile → exit 0
  • No orphaned imports: All imports resolve
  • Version aligned: package.json, CHANGELOG, copilot-instructions match
  • Smoke test: Extension activates, 3 random commands work

Pattern applies to: VS Code extensions, Electron apps, Node.js services with UI

Would Revise If

Revise if reviews repeatedly miss security or correctness defects that adversarial review (deep-review skill) catches on the same PR, or if the 3-pass model produces consistent false-positive [blocking] comments that authors reasonably decline.

Search skills

Search the agent skills registry