Code Review Engine
by @1kalin
Enterprise-grade code review agent. Reviews PRs, diffs, or code files for security vulnerabilities, performance issues, error handling gaps, architecture smells, and test coverage. Works with any language, any repo, no dependencies required.
clawhub install afrexai-code-reviewerπ About This Skill
name: afrexai-code-reviewer description: Enterprise-grade code review agent. Reviews PRs, diffs, or code files for security vulnerabilities, performance issues, error handling gaps, architecture smells, and test coverage. Works with any language, any repo, no dependencies required. auto_trigger: false
Code Review Engine
Enterprise-grade automated code review. Works on GitHub PRs, local diffs, pasted code, or entire files. No dependencies β pure agent intelligence.
Quick Start
Review a GitHub PR
Review PR #42 in owner/repo
Review a local diff
Review the staged changes in this repo
Review a file
Review src/auth/login.ts for security issues
Review pasted code
Just paste code and say "review this"Review Framework: SPEAR
Every review follows the SPEAR framework β 5 dimensions, each scored 1-10:
π΄ S β Security (Weight: 3x)
| Check | Severity | Example | |-------|----------|---------| | Hardcoded secrets | CRITICAL | API keys, passwords, tokens in source | | SQL injection | CRITICAL | String concatenation in queries | | XSS vectors | HIGH | Unsanitized user input in HTML/DOM | | Path traversal | HIGH | User input in file paths without validation | | Insecure deserialization | HIGH |eval(), pickle.loads(), JSON.parse on untrusted input |
| Auth bypass | CRITICAL | Missing auth checks on endpoints |
| SSRF | HIGH | User-controlled URLs in server requests |
| Timing attacks | MEDIUM | Non-constant-time string comparison for secrets |
| Dependency vulnerabilities | MEDIUM | Known CVEs in imported packages |
| Sensitive data logging | MEDIUM | PII, tokens, passwords in log output |
| Insecure randomness | MEDIUM | Math.random() for security-sensitive values |
| Missing rate limiting | MEDIUM | Auth endpoints without throttling |π‘ P β Performance (Weight: 2x)
| Check | Severity | Example | |-------|----------|---------| | N+1 queries | HIGH | DB call inside a loop | | Unbounded queries | HIGH |SELECT * without LIMIT on user-facing endpoints |
| Missing indexes (implied) | MEDIUM | Frequent WHERE/ORDER on unindexed columns |
| Memory leaks | HIGH | Event listeners never removed, growing caches |
| Blocking main thread | HIGH | Sync I/O in async context, CPU-heavy in event loop |
| Unnecessary re-renders | MEDIUM | React: missing memo, unstable refs in deps |
| Large bundle imports | MEDIUM | import _ from 'lodash' vs import get from 'lodash/get' |
| Missing pagination | MEDIUM | Returning all records to client |
| Redundant computation | LOW | Same expensive calc repeated without caching |
| Connection pool exhaustion | HIGH | Not releasing DB/HTTP connections |π E β Error Handling (Weight: 2x)
| Check | Severity | Example | |-------|----------|---------| | Swallowed errors | HIGH | Empty catch blocks, Go_ := on error |
| Missing error boundaries | MEDIUM | React components without error boundaries |
| Unchecked null/undefined | HIGH | No null checks before property access |
| Missing finally/cleanup | MEDIUM | Resources opened but not guaranteed closed |
| Generic error messages | LOW | catch(e) { throw new Error("something went wrong") } |
| Missing retry logic | MEDIUM | Network calls without retry on transient failures |
| Panic/exit in library code | HIGH | panic(), os.Exit(), process.exit() in non-main |
| Unhandled promise rejections | HIGH | Async calls without .catch() or try/catch |
| Error type conflation | MEDIUM | All errors treated the same (4xx vs 5xx, retriable vs fatal) |π΅ A β Architecture (Weight: 1.5x)
| Check | Severity | Example | |-------|----------|---------| | God functions (>50 lines) | MEDIUM | Single function doing too many things | | God files (>300 lines) | MEDIUM | Monolithic module | | Tight coupling | MEDIUM | Direct DB calls in request handlers | | Missing abstraction | LOW | Repeated patterns that should be extracted | | Circular dependencies | HIGH | A imports B imports A | | Wrong layer | MEDIUM | Business logic in controllers, SQL in UI | | Magic numbers/strings | LOW | Hardcoded values without named constants | | Missing types | MEDIUM |any in TypeScript, missing type hints in Python |
| Dead code | LOW | Unreachable branches, unused imports/variables |
| Inconsistent patterns | LOW | Different error handling styles in same codebase |π R β Reliability (Weight: 1.5x)
| Check | Severity | Example | |-------|----------|---------| | Missing tests for changes | HIGH | New logic without corresponding test | | Test quality | MEDIUM | Tests that only check happy path | | Missing edge cases | MEDIUM | No handling for empty arrays, null, boundary values | | Race conditions | HIGH | Shared mutable state without synchronization | | Non-idempotent operations | MEDIUM | Retrying could cause duplicates | | Missing validation | HIGH | User input accepted without schema validation | | Brittle tests | LOW | Tests depending on execution order or timing | | Missing logging | MEDIUM | Error paths with no observability | | Configuration drift | MEDIUM | Hardcoded env-specific values | | Missing migrations | HIGH | Schema changes without migration files |Scoring System
Per-Finding Severity
CRITICAL β -3 points from dimension score
HIGH β -2 points
MEDIUM β -1 point
LOW β -0.5 points
INFO β 0 (suggestion only)
Overall SPEAR Score Calculation
Raw Score = (SΓ3 + PΓ2 + EΓ2 + AΓ1.5 + RΓ1.5) / 10
Final Score = Raw Score Γ 10 (scale 0-100)
Verdict Thresholds
| Score | Verdict | Action | |-------|---------|--------| | 90-100 | β EXCELLENT | Ship it | | 75-89 | π’ GOOD | Minor suggestions, approve | | 60-74 | π‘ NEEDS WORK | Address findings before merge | | 40-59 | π SIGNIFICANT ISSUES | Major rework needed | | 0-39 | π΄ BLOCK | Critical issues, do not merge |Review Output Template
Use this structure for every review:
# Code Review: [PR title or file name]Summary
[1-2 sentence overview of what this code does and overall quality]SPEAR Score: [X]/100 β [VERDICT]
| Dimension | Score | Key Finding |
|-----------|-------|-------------|
| π΄ Security | X/10 | [worst finding or "Clean"] |
| π‘ Performance | X/10 | [worst finding or "Clean"] |
| π Error Handling | X/10 | [worst finding or "Clean"] |
| π΅ Architecture | X/10 | [worst finding or "Clean"] |
| π Reliability | X/10 | [worst finding or "Clean"] |
Findings
[CRITICAL/HIGH] π΄ [Title]
File: path/to/file.ts:42
Category: Security
Issue: [What's wrong]
Impact: [What could happen]
Fix:
[lang]
// suggested fix
[MEDIUM] π‘ [Title]
...What's Done Well
[Genuinely good patterns worth calling out] Recommendations
1. [Prioritized action items]
Language-Specific Patterns
TypeScript / JavaScript
any type usage β Architecture findingas type assertions β potential runtime errorconsole.log in production code β Style== instead of === β Reliabilityasync/await error handlinguseEffect missing cleanup returnPython
except: or except Exception: β Error Handlingeval() / exec() β Security CRITICALimport * β Architecture__init__.py type hintsGo
_ := discarding errors β Error Handling HIGHpanic() in library code β Reliability HIGHdefer for resource cleanupinterface{} / any overuseJava
Exception or Throwable β Error Handling@Override annotationsSystem.out.println in productionSQL
SELECT * β PerformanceAdvanced Techniques
Reviewing for Business Logic
Beyond code quality, check:Reviewing for Operability
Reviewing Database Changes
Security Review Depth Levels
| Level | When | What | |-------|------|------| | Quick | Internal tool, trusted input | OWASP Top 10 patterns only | | Standard | User-facing feature | + auth, input validation, output encoding | | Deep | Payment, auth, PII handling | + crypto review, session management, audit logging | | Threat Model | New service/API surface | + attack surface mapping, trust boundaries |Integration Patterns
GitHub PR Review
# Get PR diff
gh pr diff 42 --repo owner/repoGet PR details
gh pr view 42 --repo owner/repo --json title,body,files,commitsPost review comment
gh pr review 42 --repo owner/repo --comment --body "review content"
Local Git Review
# Review staged changes
git diff --cachedReview branch vs main
git diff main..HEADReview last N commits
git log -5 --oneline && git diff HEAD~5..HEAD
Heartbeat / Cron Integration
Check for open PRs in [repo] that I haven't reviewed yet.
For each, run a SPEAR review and post the results as a PR comment.
Edge Cases & Gotchas
<<<<<<< in code means broken merge.Review Checklist (Quick Mode)
For fast reviews when full SPEAR isn't needed:
console.log / print / fmt.Print left inany / interface{})π‘ Examples
Review a GitHub PR
Review PR #42 in owner/repo
Review a local diff
Review the staged changes in this repo
Review a file
Review src/auth/login.ts for security issues